HTTP Operations
Reference reusable HTTP operation services.
HTTP operation services expose effect-auth's standard workflows as endpoint-shaped functions without fixing the application API's routes or group layout. Import each service, live layer, contract, and endpoint from its canonical @effect-auth/core/HttpApi/<Feature> path. Reserve @effect-auth/core/HttpApi for shared HTTP infrastructure and cross-feature composition such as CoreAuthHttpApiLive. For the ownership boundary and composition model, see HTTP Operations; for binding examples, see Custom Auth API.
import {
SessionHttpApiGroup,
SessionHttpOperations,
SessionHttpOperationsLive,
currentSessionEndpoint,
} from "@effect-auth/core/HttpApi/Session";Export pattern
For a feature named Name, the public exports follow a consistent pattern:
| Export | Purpose |
|---|---|
NameHttpOperationsService | Structural service interface containing the methods below. |
NameHttpOperations | Effect Context.Service tag used in handlers. |
NameHttpOperationsLive | Layer that constructs the service from domain, HTTP, configuration, and policy services. |
NameHttpApiLive | Focused standard-route preset, where one is exported; this is not the operations layer. |
Each method is a typed HttpOperation<typeof endpoint, Requirements>: a function taking the built-in endpoint handler request with Effect's internal endpoint and group fields omitted, and returning an Effect with that endpoint's success, error, and service requirements. Requirements defaults to never, and most existing live layers capture their dependencies during construction. Effect-native operations such as permission-definition administration resolve their explicit requirements during execution; their focused preset installs the matching router middleware. A custom endpoint must still declare schemas compatible with the method's request, success, and errors.
The feature name in the service maps directly to the subpath. For example, use HttpApi/EmailVerification, HttpApi/RecoveryCodes, HttpApi/OAuthProviderAuthorization, HttpApi/JwtDiscovery, and HttpApi/AdminTrustedDevice for those services. The focused module exports only that feature's public HTTP surface; it does not act as another broad barrel.
Catalog
The requirements column is deliberately high-level. Configuration services, stores, cryptography, and optional capabilities are summarized rather than presented as an exhaustive layer type.
Primary authentication
| Service | Methods | Focused preset | Key required feature/domain services |
|---|---|---|---|
PasswordHttpOperations | signIn, signUp, resetStart, resetVerify, set, change | None | Password login, registration, reset and management; sessions, cookies, AuthHttp, AuthRateLimit |
EmailVerificationHttpOperations | start, verify | None | Verification flow and verification; sessions, cookies, AuthRateLimit |
EmailOtpHttpOperations | start, verify | None | Email OTP login, AuthHttp, AuthRateLimit |
EmailAuthHttpOperations | start | EmailAuthHttpApiLive | Email auth orchestration, AuthRateLimit |
MagicLinkHttpOperations | start, verify | None | Magic-link login, AuthHttp, AuthRateLimit |
PasskeyHttpOperations | registerStart, registerFinish, authenticateStart, authenticateFinish, listCredentials, revokeCredential | PasskeyHttpApiLive | Passkey config/options/verification/credential management; users, sessions, cookies, AuthHttp, AuthRateLimit |
Sessions, MFA, and assurance
| Service | Methods | Focused preset | Key required feature/domain services |
|---|---|---|---|
SessionHttpOperations | current, refresh, logout, list, revoke, revokeOthers | None | Sessions, session cookie, AuthHttp |
TotpHttpOperations | startEnrollment, confirmEnrollment, verify, listFactors, revokeFactor | TotpHttpApiLive | TOTP config/factor management; sessions, cookies, AuthRateLimit |
RecoveryCodesHttpOperations | generate, regenerate, verify, list, revoke | RecoveryCodesHttpApiLive | Recovery-code config/management; sessions, cookies, AuthRateLimit |
MfaHttpOperations | options, verifyTotp, verifyTotpForFlow, verifyRecoveryCode, verifyRecoveryCodeForFlow, startPasskey, verifyPasskey | MfaHttpApiLive | Auth-flow state/orchestration, TOTP/recovery/passkey services and config, AuthHttp, AuthRateLimit |
StepUpHttpOperations | options, verifyTotp, verifyPassword, verifyRecoveryCode, startPasskey, verifyPasskey | StepUpHttpApiLive | Sessions/cookies, credentials/password hashing, TOTP/recovery/passkey services and config, AuthRateLimit |
LoginApprovalHttpOperations | approve, status, finalize | None | Login approval, auth flow/state, users, AuthHttp |
Account and administration
| Service | Methods | Focused preset | Key required feature/domain services |
|---|---|---|---|
AdminSessionHttpOperations | list, revoke, revokeAll | AdminSessionHttpApiLive | Sessions, cookies, admin-session authorization |
AdminPermissionDefinitionHttpOperations | create, get, list, update, disable, enable, delete | AdminPermissionDefinitionHttpApiLive | Permission administration, sessions, cookies, app-owned permission-definition authorization |
LoginNotificationHttpOperations | reportLogin | None | No required feature service; login notifications are optional |
SecurityTimelineHttpOperations | list | SecurityTimelineHttpApiLive | Sessions, cookies, security-timeline store |
AdminSecurityTimelineHttpOperations | list | AdminSecurityTimelineHttpApiLive | Sessions, cookies, timeline store and admin authorization |
TrustedDeviceHttpOperations | list, revoke | TrustedDeviceHttpApiLive | Sessions, cookies, trusted-device store |
AdminTrustedDeviceHttpOperations | list, revoke | AdminTrustedDeviceHttpApiLive | Sessions, cookies, trusted-device store and admin authorization |
Tokens and federation
| Service | Methods | Focused preset | Key required feature/domain services |
|---|---|---|---|
OAuthHttpOperations | authorizationStart, accountUnlink, linkConfirmationStart, linkConfirmationInspect, linkConfirmationConfirm | OAuthHttpApiLive | OAuth providers/state, unlinking/link confirmation, OAuth HTTP config, sessions/cookies |
OAuthProviderAuthorizationHttpOperations | authorize | OAuthProviderAuthorizationHttpApiLive | OAuth provider authorization |
OAuthTokenHttpOperations | token, introspect, revoke | OAuthTokenHttpApiLive | Authorization-code grant and token HTTP config; other grants, introspection, and revocation optional |
ApiKeyHttpOperations | create, list, revoke | ApiKeyHttpApiLive | API-key management, sessions, cookies |
RefreshTokenHttpOperations | refresh | RefreshTokenHttpApiLive | Refresh-token management, JWT issuer, refresh-token HTTP config |
JwtHttpOperations | introspect, revoke | JwtHttpApiLive | JWT revocation and JWT HTTP config |
JwtDiscoveryHttpOperations | jwks | JwtDiscoveryHttpApiLive | JWKS provider |
OidcDiscoveryHttpOperations | openidConfiguration | OidcDiscoveryHttpApiLive | OIDC discovery metadata |
Layer and boundary semantics
Construct the feature service by providing its live layer, then yield the service in an HttpApiBuilder group and bind only the desired methods. A layer constructs the complete service even when the API exposes one method. Optional services are detected and captured at layer construction; providing one only around a later method call does not enable it.
Some operations capture and execute standard AuthRateLimit; others enforce authentication or authorization through sessions and feature-specific services, and public discovery or protocol operations may require neither. Do not add the same standard security check around an operation that already executes it. Custom origin/CSRF, decoding, tenant, role, and other application middleware remains part of the endpoint boundary.
AdminPermissionDefinitionHttpOperations authenticates the current session and calls AdminPermissionDefinitionAuthorization before every definition lookup or mutation. The operations obtain permission administration, sessions, cookies, and authorization services when the request runs rather than through exported handler factories. The focused preset installs AdminPermissionDefinitionHttpRequirementsLive to provide that context to its routes. The library deliberately provides no allow-all authorization layer. Mutations emit typed audit events when request audit wiring is present. Its list operation uses an after cursor and a bounded limit from 1 through 100 (default 50). This standalone API is not mounted by CoreAuthHttpApiLive, and grant metadata is not exposed through it.
Session issuance, rotation, revocation, and clearing use AuthHttp and/or SessionCookie where the workflow requires them. Related continuation, trusted-device, and login-approval cookies are applied only for configured workflows. Cookie-capable operations do not remove the need for origin protection on the API. Expected domain failures are mapped to stable public errors; unexpected infrastructure failures are sanitized.
To discover exact requirements, inspect the exported layer type rather than this summary:
import { PasswordHttpOperationsLive } from "@effect-auth/core/HttpApi/Password";
import type { Layer } from "effect";
type Requirements<L> =
L extends Layer.Layer<unknown, unknown, infer R> ? R : never;
type PasswordRequirements = Requirements<typeof PasswordHttpOperationsLive>;Editor hover or “go to type definition” on PasswordRequirements shows the current required context. Effect.serviceOption(...) capabilities do not appear as mandatory requirements; inspect the live layer implementation or feature documentation when deciding which optional behavior to enable.