A from-scratch authentication reference implementation for Cloudflare Workers — PBKDF2 password hashing, JWT dual-token sessions, constant-time comparison, and sliding expiration — all wired together with Hono, Turso, and strict TypeScript.
Every design choice traces back to a standard: NIST SP 800-63B for credentials, NIST SP 800-132 for key derivation, OWASP ASVS for verification, and RFC 8725 for JWT best practices.
Shipping a product? Use Better Auth instead — it covers OAuth, passkeys, MFA, rate limiting, and more out of the box with an active plugin ecosystem. This repo exists to teach you how auth works, not to replace a production library.
Why this repo
Read the code, not just the docs — every security property (timing-safe rejection, session-linked revocation, algorithm pinning) is implemented and tested, not just described
— every security property (timing-safe rejection, session-linked revocation, algorithm pinning) is implemented and tested, not just described NIST + OWASP + RFC references throughout — learn the why behind each decision
throughout — learn the why behind each decision 250+ tests including attack-vector suites (token tampering, algorithm confusion, unicode edge cases)
including attack-vector suites (token tampering, algorithm confusion, unicode edge cases) Built for the edge — runs on Cloudflare Workers with Web Crypto API, no Node.js dependencies
— runs on Cloudflare Workers with Web Crypto API, no Node.js dependencies Apache-2.0 — fork it, teach with it, learn from it
What You'll Find Inside
... continue reading