effect-auth

HTTP Operations

Reference reusable HTTP operation services.

HTTP operation services expose effect-auth's standard workflows as endpoint-shaped functions without fixing the application API's routes or group layout. Import each service, live layer, contract, and endpoint from its canonical @effect-auth/core/HttpApi/<Feature> path. Reserve @effect-auth/core/HttpApi for shared HTTP infrastructure and cross-feature composition such as CoreAuthHttpApiLive. For the ownership boundary and composition model, see HTTP Operations; for binding examples, see Custom Auth API.

import {
  SessionHttpApiGroup,
  SessionHttpOperations,
  SessionHttpOperationsLive,
  currentSessionEndpoint,
} from "@effect-auth/core/HttpApi/Session";

Export pattern

For a feature named Name, the public exports follow a consistent pattern:

ExportPurpose
NameHttpOperationsServiceStructural service interface containing the methods below.
NameHttpOperationsEffect Context.Service tag used in handlers.
NameHttpOperationsLiveLayer that constructs the service from domain, HTTP, configuration, and policy services.
NameHttpApiLiveFocused standard-route preset, where one is exported; this is not the operations layer.

Each method is a typed HttpOperation<typeof endpoint, Requirements>: a function taking the built-in endpoint handler request with Effect's internal endpoint and group fields omitted, and returning an Effect with that endpoint's success, error, and service requirements. Requirements defaults to never, and most existing live layers capture their dependencies during construction. Effect-native operations such as permission-definition administration resolve their explicit requirements during execution; their focused preset installs the matching router middleware. A custom endpoint must still declare schemas compatible with the method's request, success, and errors.

The feature name in the service maps directly to the subpath. For example, use HttpApi/EmailVerification, HttpApi/RecoveryCodes, HttpApi/OAuthProviderAuthorization, HttpApi/JwtDiscovery, and HttpApi/AdminTrustedDevice for those services. The focused module exports only that feature's public HTTP surface; it does not act as another broad barrel.

Catalog

The requirements column is deliberately high-level. Configuration services, stores, cryptography, and optional capabilities are summarized rather than presented as an exhaustive layer type.

Primary authentication

ServiceMethodsFocused presetKey required feature/domain services
PasswordHttpOperationssignIn, signUp, resetStart, resetVerify, set, changeNonePassword login, registration, reset and management; sessions, cookies, AuthHttp, AuthRateLimit
EmailVerificationHttpOperationsstart, verifyNoneVerification flow and verification; sessions, cookies, AuthRateLimit
EmailOtpHttpOperationsstart, verifyNoneEmail OTP login, AuthHttp, AuthRateLimit
EmailAuthHttpOperationsstartEmailAuthHttpApiLiveEmail auth orchestration, AuthRateLimit
MagicLinkHttpOperationsstart, verifyNoneMagic-link login, AuthHttp, AuthRateLimit
PasskeyHttpOperationsregisterStart, registerFinish, authenticateStart, authenticateFinish, listCredentials, revokeCredentialPasskeyHttpApiLivePasskey config/options/verification/credential management; users, sessions, cookies, AuthHttp, AuthRateLimit

Sessions, MFA, and assurance

ServiceMethodsFocused presetKey required feature/domain services
SessionHttpOperationscurrent, refresh, logout, list, revoke, revokeOthersNoneSessions, session cookie, AuthHttp
TotpHttpOperationsstartEnrollment, confirmEnrollment, verify, listFactors, revokeFactorTotpHttpApiLiveTOTP config/factor management; sessions, cookies, AuthRateLimit
RecoveryCodesHttpOperationsgenerate, regenerate, verify, list, revokeRecoveryCodesHttpApiLiveRecovery-code config/management; sessions, cookies, AuthRateLimit
MfaHttpOperationsoptions, verifyTotp, verifyTotpForFlow, verifyRecoveryCode, verifyRecoveryCodeForFlow, startPasskey, verifyPasskeyMfaHttpApiLiveAuth-flow state/orchestration, TOTP/recovery/passkey services and config, AuthHttp, AuthRateLimit
StepUpHttpOperationsoptions, verifyTotp, verifyPassword, verifyRecoveryCode, startPasskey, verifyPasskeyStepUpHttpApiLiveSessions/cookies, credentials/password hashing, TOTP/recovery/passkey services and config, AuthRateLimit
LoginApprovalHttpOperationsapprove, status, finalizeNoneLogin approval, auth flow/state, users, AuthHttp

Account and administration

ServiceMethodsFocused presetKey required feature/domain services
AdminSessionHttpOperationslist, revoke, revokeAllAdminSessionHttpApiLiveSessions, cookies, admin-session authorization
AdminPermissionDefinitionHttpOperationscreate, get, list, update, disable, enable, deleteAdminPermissionDefinitionHttpApiLivePermission administration, sessions, cookies, app-owned permission-definition authorization
LoginNotificationHttpOperationsreportLoginNoneNo required feature service; login notifications are optional
SecurityTimelineHttpOperationslistSecurityTimelineHttpApiLiveSessions, cookies, security-timeline store
AdminSecurityTimelineHttpOperationslistAdminSecurityTimelineHttpApiLiveSessions, cookies, timeline store and admin authorization
TrustedDeviceHttpOperationslist, revokeTrustedDeviceHttpApiLiveSessions, cookies, trusted-device store
AdminTrustedDeviceHttpOperationslist, revokeAdminTrustedDeviceHttpApiLiveSessions, cookies, trusted-device store and admin authorization

Tokens and federation

ServiceMethodsFocused presetKey required feature/domain services
OAuthHttpOperationsauthorizationStart, accountUnlink, linkConfirmationStart, linkConfirmationInspect, linkConfirmationConfirmOAuthHttpApiLiveOAuth providers/state, unlinking/link confirmation, OAuth HTTP config, sessions/cookies
OAuthProviderAuthorizationHttpOperationsauthorizeOAuthProviderAuthorizationHttpApiLiveOAuth provider authorization
OAuthTokenHttpOperationstoken, introspect, revokeOAuthTokenHttpApiLiveAuthorization-code grant and token HTTP config; other grants, introspection, and revocation optional
ApiKeyHttpOperationscreate, list, revokeApiKeyHttpApiLiveAPI-key management, sessions, cookies
RefreshTokenHttpOperationsrefreshRefreshTokenHttpApiLiveRefresh-token management, JWT issuer, refresh-token HTTP config
JwtHttpOperationsintrospect, revokeJwtHttpApiLiveJWT revocation and JWT HTTP config
JwtDiscoveryHttpOperationsjwksJwtDiscoveryHttpApiLiveJWKS provider
OidcDiscoveryHttpOperationsopenidConfigurationOidcDiscoveryHttpApiLiveOIDC discovery metadata

Layer and boundary semantics

Construct the feature service by providing its live layer, then yield the service in an HttpApiBuilder group and bind only the desired methods. A layer constructs the complete service even when the API exposes one method. Optional services are detected and captured at layer construction; providing one only around a later method call does not enable it.

Some operations capture and execute standard AuthRateLimit; others enforce authentication or authorization through sessions and feature-specific services, and public discovery or protocol operations may require neither. Do not add the same standard security check around an operation that already executes it. Custom origin/CSRF, decoding, tenant, role, and other application middleware remains part of the endpoint boundary.

AdminPermissionDefinitionHttpOperations authenticates the current session and calls AdminPermissionDefinitionAuthorization before every definition lookup or mutation. The operations obtain permission administration, sessions, cookies, and authorization services when the request runs rather than through exported handler factories. The focused preset installs AdminPermissionDefinitionHttpRequirementsLive to provide that context to its routes. The library deliberately provides no allow-all authorization layer. Mutations emit typed audit events when request audit wiring is present. Its list operation uses an after cursor and a bounded limit from 1 through 100 (default 50). This standalone API is not mounted by CoreAuthHttpApiLive, and grant metadata is not exposed through it.

Session issuance, rotation, revocation, and clearing use AuthHttp and/or SessionCookie where the workflow requires them. Related continuation, trusted-device, and login-approval cookies are applied only for configured workflows. Cookie-capable operations do not remove the need for origin protection on the API. Expected domain failures are mapped to stable public errors; unexpected infrastructure failures are sanitized.

To discover exact requirements, inspect the exported layer type rather than this summary:

import { PasswordHttpOperationsLive } from "@effect-auth/core/HttpApi/Password";
import type { Layer } from "effect";

type Requirements<L> =
  L extends Layer.Layer<unknown, unknown, infer R> ? R : never;
type PasswordRequirements = Requirements<typeof PasswordHttpOperationsLive>;

Editor hover or “go to type definition” on PasswordRequirements shows the current required context. Effect.serviceOption(...) capabilities do not appear as mandatory requirements; inspect the live layer implementation or feature documentation when deciding which optional behavior to enable.

On this page