Early Access · Transitioning to Open Source

Authentication that lives
in your codebase.

An embedded TypeScript library for NestJS, Express & Fastify. Runs in your server, stores data in your database. Free to use.

Get StartedQuick StartLive Demo
Works with
NestJS Express Fastify Angular React
No per-user feesAuth is infrastructure — not a metered API service.
Your databaseAll user data stays in your PostgreSQL or MySQL.
Full TypeScript sourceRead, modify, and fork every line. No black boxes.
Embedded, not externalRuns inside your process. Zero external API calls.

Everything authentication needs

From simple email/password signup to adaptive multi-factor authentication — all in one library, all fully under your control.

Email & Password

  • Signup with email or phone number
  • Configurable password policies
  • Email & phone verification
  • Forgot password & change password
  • Account lockout & rate limiting
  • Username-based login support
View guide

Social Login

  • Google OAuth 2.0
  • Apple Sign In
  • Facebook Login
  • Web redirect flows
  • Native mobile token flows
  • Account linking
View guide

Multi-Factor Auth

  • TOTP (Google Authenticator, Authy)
  • SMS verification codes
  • Email OTP
  • WebAuthn / Passkeys (Face ID, YubiKey)
  • Adaptive MFA by login risk
  • Trusted device management
View guide

Up and running in three steps

Add complete auth to your existing Node.js app without restructuring your project.

1

Install for your backend

Pick your framework — the same auth engine powers all three.

  • Drop-in DynamicModule — AuthModule.forRoot()
  • @Public(), @CurrentUser(), @ClientInfo() decorators
  • AuthGuard and CsrfGuard ready to use
  • Interceptors handle cookie token delivery automatically
2

Configure and build routes

One TypeScript config drives every auth behavior. Wire up routes by calling service methods from your own controllers.

  • Signup, login, email verification, password reset
  • MFA enforcement, session policies, token delivery
  • Social OAuth redirect and callback handling
  • No magic endpoints — you own the entire API surface
  • Lifecycle hooks to extend any flow without forking
3

Connect your frontend

Use a ready-made SDK or call the REST API directly from any framework.

  • NAuthModule integrates with Angular DI
  • AuthService, AuthGuard, and HTTP interceptor included
  • Automatic silent token refresh in the background
  • Lazy-loadable — ships only what your app uses

Enterprise features

Security-first architecture with all the infrastructure you need to ship authentication.

Platform-Agnostic Core

Pure TypeScript with zero framework dependencies. The same core powers NestJS, Express, and Fastify.

Challenge-Based Architecture

A unified challenge/response loop handles email verification, MFA, and password changes — one endpoint, all flows.

Production Security

Argon2id hashing, JWT with RS256/HS256, CSRF protection, refresh token rotation with reuse detection.

Adaptive MFA

Risk-based MFA enforcement triggered by login context — new device, location change, or anomalous patterns.

Audit Trail

Comprehensive structured logging for logins, MFA events, password changes, and security incidents.

Rate Limiting & Lockouts

Per-IP and per-user request limits with configurable account lockout policies and automatic unlocking.

IP Geolocation

Track login locations with MaxMind GeoIP2. Surface location data in security events and trusted device flows.

Flexible Storage

In-memory for dev, database-backed for low-traffic, or Redis with cluster support for production scale.

Lifecycle Hooks

Extensible hooks at signup, login, MFA triggers, and sign-in blocks. Customize any flow without forking.

One config. Everything else bootstraps.

Define your auth policy in a single TypeScript object. nauth-toolkit reads it at startup and wires up every service, middleware, and flow automatically.

auth.config.ts
export const authConfig: NAuthConfig = {
  signup: {
    requireEmailVerification: true,
    allowedIdentifiers: ['email', 'username'],
  },

  mfa: {
    enabled: true,
    enforcement: 'OPTIONAL',
    allowedMethods: [
      MFAMethod.TOTP,
      MFAMethod.EMAIL,
      MFAMethod.SMS,
      MFAMethod.PASSKEY,
    ],
    rememberDeviceDays: 30,
  },

  social: {
    google:   { clientId: '...', clientSecret: '...' },
    apple:    { clientId: '...', teamId: '...' },
    facebook: { appId: '...',    appSecret: '...' },
  },

  session: {
    maxActiveSessions: 5,
    revokeOnPasswordChange: true,
  },

  rateLimit: {
    login:  { maxAttempts: 5,  windowMs: 900_000 },
    signup: { maxAttempts: 10, windowMs: 3_600_000 },
  },

  tokenDelivery: { mode: 'cookie' },
};

From this config, nauth-toolkit bootstraps:

  • Signup, login, email & phone verification
  • Forgot password & change password flows
  • TOTP, SMS, Email OTP & Passkey MFA
  • Google, Apple & Facebook OAuth
  • Session management & revocation
  • Per-IP & per-user rate limiting
  • Refresh token rotation & reuse detection
  • HttpOnly cookie delivery with CSRF guard
  • Audit log for every security event
Your routes stay thin — call authService.signup(dto), get a result. You configure what routes to expose and add custom logic as needed.

Why use nauth

Authentication is infrastructure — it deserves the same control and visibility as your database or API layer.

What you gain

  • Complete control over code and data
  • No vendor lock-in or usage-based pricing
  • Customize every flow without limitations
  • All user data stays in your own database
  • No additional monthly costs as you scale

When to choose nauth

  • Need full control over auth logic and data flows
  • Want predictable infrastructure costs
  • Require deep customization of signup or login flows
  • Building on Node.js — NestJS, Express, or Fastify
  • Prefer owning and auditing your security code directly

Trade-offs to consider

  • You manage infrastructure and security audits
  • No managed compliance certifications (HIPAA, SOC 2)
  • Limited to the Node.js ecosystem

If managed compliance or a non-Node.js stack is required, a SaaS auth provider may be a better fit.

Start building today

Add complete authentication to your Node.js application — social login, adaptive MFA, passkeys, and full audit trails. No third-party services, no per-user fees, no vendor lock-in.

Read the DocsQuick StartLive Demo
Sample apps & community