Tilmeld (the d is silent) is a user and group management system for Nymph. It provides strict access controls to protect entities from unauthorized access/modification. It allows for granting and revoking ad hoc abilities to users and groups, then checking for those abilities. It provides authentication services and features protection against XSRF attacks.


npm install --save @nymphjs/tilmeld


When you initialize Nymph, provide it with an instance of the Tilmeld class from this package. You now have access to the User and Group classes that are specific to that instance of Nymph/Tilmeld.

Here's an overview.

import SQLite3Driver from '@nymphjs/driver-sqlite3';
import { Tilmeld } from '@nymphjs/tilmeld';
import { Nymph } from '@nymphjs/nymph';

const tilmeld = new Tilmeld({
  appName: 'My App',
  appUrl: 'http://localhost',
  cookieDomain: 'localhost',
  cookiePath: '/',
  setupPath: '/user',
  verifyRedirect: 'http://localhost',
  verifyChangeRedirect: 'http://localhost',
  cancelChangeRedirect: 'http://localhost',
  jwtSecret: 'shhhhh',

const nymph = new Nymph(
  new SQLite3Driver({
    filename: ':memory:',

// These are the classes specific to this instance of Tilmeld.
const { User, Group } = tilmeld;


See the config declaration file.


There are a few abilities that Tilmeld uses internally:

  • system/admin - A user with this ability has all abilities.
  • tilmeld/admin - Allow the user to manage and edit other user's account and group information and grant/revoke abilities.
  • tilmeld/switch - Allow the user to switch to other users (log in as them without their password).
  • uid/get/[name] - Allow the user to read the named UID.
  • uid/new/[name] - Allow the user to read, create, and increment the named UID.
  • uid/set/[name] - Allow the user to read, create, increment, set, and delete the named UID.

The admin and switch abilities cannot be inherited from groups.