---
title: "Presets"
url: "https://effect-auth.itsbroly.com/concepts/presets/"
description: "Use complete authentication APIs with secure defaults."
---



Presets are ready-to-mount Effect `Layer`s for effect-auth's built-in HTTP contracts. They are the highest-convenience integration described in [Architecture](/concepts/architecture/): choose one when its routes, schemas, and middleware already fit your application. The [Quick Start](/quick-start/) shows a complete runtime around the core preset.

## What a preset assembles [#what-a-preset-assembles]

```text
runtime capabilities + feature services + AuthRateLimit
                         │
                         ▼
                 *HttpOperationsLive
                         │
                         ▼
HttpApi contract → group handlers → operation methods
       │                                  │
       └── schema/origin middleware ──────┘
                         │
                         ▼
                    mounted routes
```

A preset includes the `HttpApi` contract, every handler for its group or groups, and the corresponding HTTP Operations layers. It also supplies schema-error middleware and, for groups that declare it, origin-check middleware configuration. Operations retain workflow orchestration, standard `AuthRateLimit` execution, public error mapping, and cookie consequences. The application still provides their required domain/runtime services, configured `AuthRateLimit`, HTTP server services, and `AuthHttpApiConfig` where needed. A layer's required-service type is the authoritative dependency list.

## Full core or focused feature [#full-core-or-focused-feature]

`CoreAuthHttpApiLive` is the full **core** preset. It mounts password, session, email verification, email OTP, magic link, login approval, and login-notification security groups under their standard `/auth/*` routes. This is one complete contract: mounting it requires the services used by every included operation, even when a client calls only password sign-in.

Focused presets mount one feature contract. They are useful beside the core contract or in an application that needs only selected feature APIs.

| Category                      | Public focused presets                                                                                                                                    | Scope                                                     |
| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
| Authentication and assurance  | `EmailAuthHttpApiLive`, `PasskeyHttpApiLive`, `TotpHttpApiLive`, `RecoveryCodesHttpApiLive`, `MfaHttpApiLive`, `StepUpHttpApiLive`                        | One matching `/auth/*` group, its handlers and operations |
| Sessions and account security | `AdminSessionHttpApiLive`, `SecurityTimelineHttpApiLive`, `AdminSecurityTimelineHttpApiLive`, `TrustedDeviceHttpApiLive`, `AdminTrustedDeviceHttpApiLive` | User or admin management/read APIs                        |
| Tokens and federation         | `OAuthHttpApiLive`, `OAuthProviderAuthorizationHttpApiLive`, `OAuthTokenHttpApiLive`, `ApiKeyHttpApiLive`, `RefreshTokenHttpApiLive`, `JwtHttpApiLive`    | OAuth, key, refresh-token, or JWT routes                  |
| Discovery                     | `JwtDiscoveryHttpApiLive`, `OidcDiscoveryHttpApiLive`                                                                                                     | One `/.well-known/*` contract                             |

There are no focused password, session, email-verification, email-OTP, magic-link, login-approval, or login-notification presets: those groups compose `CoreAuthHttpApiLive`. Use their HTTP Operations when the full core contract is too broad.

```ts
import {
  CoreAuthHttpApiLive,
  PasskeyHttpApiLive,
} from "@effect-auth/core/HttpApi";
import { Layer } from "effect";

export const AuthRoutesLive = Layer.merge(
  CoreAuthHttpApiLive,
  PasskeyHttpApiLive
).pipe(Layer.provide(AppAuthServicesLive));
```

Feature dependencies are not isolated merely because routes are focused. MFA can require configured factor capabilities; OAuth and token presets require their provider, grant, or signing services; discovery requires key/issuer configuration. Supply the feature layers and runtime capabilities reported by the preset's type.

## Composition boundaries [#composition-boundaries]

Presets compose at the **contract/group** boundary, not as per-endpoint switches. You may mount the core preset, add an unchanged focused preset, and build another endpoint from primitives on the same server. You cannot mount a preset and replace one of its handlers by layering another handler over the same method and effective path. Duplicate routes collide rather than override; omit or rebuild the owning group, or choose a distinct path.

Move that boundary to [HTTP Operations](/concepts/http-operations/) when you need only selected methods, different paths or request schemas, custom grouping, or endpoint-specific middleware and guards. Bind the desired operation methods into your own `HttpApi`; the operation keeps its standard authentication behavior, but built-in group middleware does not travel with it. Your endpoint must provide decoding, origin/CSRF policy, caller guards, and compatible success/error schemas. The [HTTP Operations reference](/reference/http-operations/) lists available methods, while [Authentication: Password](/authentication/password/) compares preset, Operations, and primitive assembly end to end.

