AuthPool Logo
AuthPool is currently open source.
GitHub ↗
AUTHPOOL
v2.0.0 — Now on npm

Notallauthstacksarecreatedequal;theycompete.

Read the docs →

MIT Licensed · Node 18+

authpool
Google OAuthJWT Rotationbcrypt ×12CSRF ProtectionRate LimitingRedis-BackedRBAChelmet.jsRefresh TokensBrute-Force LockMongoDB SessionsTypeScript TypesGoogle OAuthJWT Rotationbcrypt ×12CSRF ProtectionRate LimitingRedis-BackedRBAChelmet.jsRefresh TokensBrute-Force LockMongoDB SessionsTypeScript Types
3

How it works

From zero to
production auth
in three steps.

1

Install

One package. All dependencies bundled.

npm install authpool
2

Configure

Three env vars. Everything else has safe defaults.

MONGO_URI=mongodb://...
JWT_SECRET=your-secret
SESSION_SECRET=your-secret
3

Start

One function. All 14 security layers active.

"color:#bf5af2">const { startAuthServer } = "color:#bf5af2">require("authpool")

startAuthServer({
  mongoURI: process.env.MONGO_URI,
  jwtSecret: process.env.JWT_SECRET,
  sessionSecret: process.env.SESSION_SECRET,
})
14

Security

0layers, all on by default.

Security is not a configuration option. Every layer activates the moment you call startAuthServer().

0
tests
0
function
0
config files
bcrypt (12 rounds)
Password hashing
JWT HS256
Token signing
Refresh token rotation
Replay prevention
SHA-256 token hashing
DB breach protection
httpOnly cookies
XSS prevention
Double-submit CSRF
CSRF prevention
Brute-force lockout
5 strikes, 15 min lock
Rate limiting
3 separate limiters
helmet middleware
Secure HTTP headers
MongoDB session store
Persistent sessions
Mongoose strict: true
Schema injection guard
tokenVersion bump
Logout-all invalidation
Redis-backed counters
Multi-server sync
select: false password
Never leaked in queries
SHIP.

Get started

Stop building auth.

Start shipping.

Everything you need for production authentication — in the time it takes to run a single install.

View on GitHub →

MIT Licensed · Node 18+ · MongoDB required · Redis optional