Aura Auth

Overview

Aura Auth is a modern, type-safe authentication for TypeScript — built for security, extensibility, and developer experience.

What is Aura Auth

Aura Auth is an open-source authentication and authorization library for modern TypeScript applications.
Inspired by Auth.js, it delivers a type-safe, framework-agnostic, and modular API to implement secure authentication flows with first-class support for OAuth 2.0.

Aura Auth focuses on three core pillars:

  • Security — strong, opinionated defaults
  • Developer Experience — simple ergonomics, complete TypeScript support
  • Modularity — use only the features you need

This project is under active development. Aura Auth is framework-agnostic and targets native TypeScript runtimes. If you'd like to contribute framework adapters (Express, Hono, Next.js, etc.), contributions and PRs are always welcome.

Why does Aura Auth exist?

Aura Auth exists thanks to Auth.js, which has been one of the most important and useful authentication libraries for JavaScript applications in recent years, providing a wide range of authentication methods for modern web apps, especially for OAuth 2.0 and OpenID Connect flows.

However, on September 26, 2025, it was announced that the core maintainer team would be stepping away from Auth.js, which has now become a side project of Better Auth (an authentication framework for TypeScript). Consequently, as a previous Developer Experience contributor to Auth.js, the decision was made to create a new alternative authentication library for TypeScript applications, inspired by Auth.js.

Aura Auth is the spiritual successor to Auth.js — designed for the next generation of TypeScript applications.

Features

lock

OAuth 2.0

Utilities for common OAuth 2.0 flows (authorization URL, access token, userinfo) with examples for popular providers.

code

Type-first API

Written entirely in TypeScript with strong types, full IntelliSense, and predictable ergonomics.

puzzle

Composable

Built from small, focused packages — use only what you need (auth handlers, JOSE helpers, cookie utilities).

shield

Secure by default

Strong defaults for PKCE, state validation, secure cookies, token verification, redirect validation, and CSRF protection.

OAuth providers

GitHub

Github OAuth Provider

Bitbucket

Bitbucket OAuth Provider

Figma

Figma OAuth Provider

Discord

Discord OAuth Provider

X (Twitter)

X (Twitter) OAuth Provider

Spotify

Spotify OAuth Provider

Additional providers such as GitHub, Bitbucket, Figma, Discord, X/Twitter, Spotify and more.

Secure by default (Philosophy)

Aura Auth is built on a simple philosophy:

Provide a framework-agnostic, secure, and ergonomic authentication system — powered by open web standards like OAuth 2.0 and OpenID Connect (coming soon).

Security is not optional. Aura Auth enforces best practices by default:

  • PKCE on all supported OAuth flows
  • Mandatory state parameters
  • Cookie security (HTTP-only, Secure, SameSite)
  • CSRF protection via JWS
  • Verified redirect URLs
  • Strong cryptographic guarantees

Aura Auth lets developers focus on building products — not re-implementing the same security layers again and again.

Quick Start

Getting started to Aura Auth authentication library to Typescript application which supports backend APIs

On this page

What is Aura AuthWhy does Aura Auth exist?FeaturesOAuth providersSecure by default (Philosophy)