Skip to content
ideal-auth

ideal-auth

Session auth, password hashing, 2FA, token verification, and rate limiting. Bring your own schema. Works with any framework.
Get Started View on GitHub

Why ideal-auth?

Section titled “Why ideal-auth?”

Framework agnostic

Works with Next.js, SvelteKit, Nuxt, TanStack Start, Express, Hono, and any framework that can get, set, and delete cookies.

Bring your own schema

No database adapters or ORM lock-in. You provide resolveUser and resolveUserByCredentials — use any database, any schema.

Encrypted sessions

Session payloads are encrypted with AES-256-GCM and authenticated with HMAC via iron-session. No plaintext tokens, no JWTs.

TOTP 2FA with recovery codes

RFC 6238 compliant one-time passwords with configurable digits, period, and window. Generate hashed recovery codes out of the box.

Security-first defaults

httpOnly cookies are always forced on. bcrypt uses SHA-256 prehash for long passwords. All comparisons are timing-safe. secure defaults to true in production.

Runs everywhere

Zero framework dependencies. Works in Node.js, Bun, and Deno with no configuration changes.

What’s included

Section titled “What’s included”
  • createAuth — Session authentication with encrypted cookies, login, logout, and user resolution
  • createHash — bcrypt password hashing with automatic SHA-256 prehash for passwords exceeding 72 bytes
  • createTokenVerifier — Signed, expiring tokens for password resets, email verification, and similar flows
  • createTOTP — RFC 6238 time-based one-time passwords for two-factor authentication
  • generateRecoveryCodes — Hashed backup codes for 2FA recovery
  • createRateLimiter — Sliding-window rate limiting with pluggable stores
  • Crypto utilitiesencrypt/decrypt, signData/verifySignature, timingSafeEqual, generateToken