Presets
Use complete authentication APIs with secure defaults.
Presets are ready-to-mount Effect Layers for effect-auth's built-in HTTP contracts. They are the highest-convenience integration described in Architecture: choose one when its routes, schemas, and middleware already fit your application. The Quick Start shows a complete runtime around the core preset.
What a preset assembles
runtime capabilities + feature services + AuthRateLimit
│
▼
*HttpOperationsLive
│
▼
HttpApi contract → group handlers → operation methods
│ │
└── schema/origin middleware ──────┘
│
▼
mounted routesA preset includes the HttpApi contract, every handler for its group or groups, and the corresponding HTTP Operations layers. It also supplies schema-error middleware and, for groups that declare it, origin-check middleware configuration. Operations retain workflow orchestration, standard AuthRateLimit execution, public error mapping, and cookie consequences. The application still provides their required domain/runtime services, configured AuthRateLimit, HTTP server services, and AuthHttpApiConfig where needed. A layer's required-service type is the authoritative dependency list.
Full core or focused feature
CoreAuthHttpApiLive is the full core preset. It mounts password, session, email verification, email OTP, magic link, login approval, and login-notification security groups under their standard /auth/* routes. This is one complete contract: mounting it requires the services used by every included operation, even when a client calls only password sign-in.
Focused presets mount one feature contract. They are useful beside the core contract or in an application that needs only selected feature APIs.
| Category | Public focused presets | Scope |
|---|---|---|
| Authentication and assurance | EmailAuthHttpApiLive, PasskeyHttpApiLive, TotpHttpApiLive, RecoveryCodesHttpApiLive, MfaHttpApiLive, StepUpHttpApiLive | One matching /auth/* group, its handlers and operations |
| Sessions and account security | AdminSessionHttpApiLive, SecurityTimelineHttpApiLive, AdminSecurityTimelineHttpApiLive, TrustedDeviceHttpApiLive, AdminTrustedDeviceHttpApiLive | User or admin management/read APIs |
| Tokens and federation | OAuthHttpApiLive, OAuthProviderAuthorizationHttpApiLive, OAuthTokenHttpApiLive, ApiKeyHttpApiLive, RefreshTokenHttpApiLive, JwtHttpApiLive | OAuth, key, refresh-token, or JWT routes |
| Discovery | JwtDiscoveryHttpApiLive, OidcDiscoveryHttpApiLive | One /.well-known/* contract |
There are no focused password, session, email-verification, email-OTP, magic-link, login-approval, or login-notification presets: those groups compose CoreAuthHttpApiLive. Use their HTTP Operations when the full core contract is too broad.
import {
CoreAuthHttpApiLive,
PasskeyHttpApiLive,
} from "@effect-auth/core/HttpApi";
import { Layer } from "effect";
export const AuthRoutesLive = Layer.merge(
CoreAuthHttpApiLive,
PasskeyHttpApiLive
).pipe(Layer.provide(AppAuthServicesLive));Feature dependencies are not isolated merely because routes are focused. MFA can require configured factor capabilities; OAuth and token presets require their provider, grant, or signing services; discovery requires key/issuer configuration. Supply the feature layers and runtime capabilities reported by the preset's type.
Composition boundaries
Presets compose at the contract/group boundary, not as per-endpoint switches. You may mount the core preset, add an unchanged focused preset, and build another endpoint from primitives on the same server. You cannot mount a preset and replace one of its handlers by layering another handler over the same method and effective path. Duplicate routes collide rather than override; omit or rebuild the owning group, or choose a distinct path.
Move that boundary to HTTP Operations when you need only selected methods, different paths or request schemas, custom grouping, or endpoint-specific middleware and guards. Bind the desired operation methods into your own HttpApi; the operation keeps its standard authentication behavior, but built-in group middleware does not travel with it. Your endpoint must provide decoding, origin/CSRF policy, caller guards, and compatible success/error schemas. The HTTP Operations reference lists available methods, while Authentication: Password compares preset, Operations, and primitive assembly end to end.