---
title: "Package Exports"
url: "https://effect-auth.itsbroly.com/reference/package-exports/"
description: "Reference the public @effect-auth/core package entry points and import boundaries."
---



`@effect-auth/core` is currently published as `0.1.0-alpha.17`. That version is an alpha identifier, not a promise that every entry point or contract is stable. The package is ESM-only and exposes a metadata-only root entry, named feature subpaths, and `package.json` through its `exports` map.

## Export policy [#export-policy]

The root entry exports only package metadata:

```ts
import { packageName } from "@effect-auth/core";
```

Use a named subpath for every feature API:

```ts
import { PasswordLogin } from "@effect-auth/core/Password";
import { PasswordHttpOperationsLive } from "@effect-auth/core/HttpApi/Password";
import { SessionHttpOperations } from "@effect-auth/core/HttpApi/Session";
```

The package declares `sideEffects: false`, so bundlers may tree-shake unused ESM exports. Explicit subpaths also keep browser, server, database, Cloudflare, and test boundaries visible during tooling and development. Do not import `@effect-auth/core/src/*`, `dist/*`, or unexported implementation files: only paths in the tables below are public package entry points.

## Domain and authentication [#domain-and-authentication]

These modules contain domain services, schemas, policies, stores, feature layers, and supporting capabilities. See [Architecture](/concepts/architecture/), [Primitives](/concepts/primitives/), [Sessions](/concepts/sessions/), and [Security Policies](/concepts/security-policies/) for how they compose.

| Public subpaths                                                                                                            | Responsibility                                                                                                                                                                                                                                                               |
| -------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `Assurance`                                                                                                                | Versioned built-in/custom evidence, local tier derivation, canonical AMR, freshness lookup, compaction, and the versioned custom-policy registry. Raw evidence is a server-only domain/storage concern.                                                                      |
| `ApiKey`, `Jwt`, `MachineAuth`, `OAuth`, `RefreshToken`                                                                    | Machine credentials, token lifecycles, and federation. See the [API-key recipe](/recipes/add-api-key-authentication/), [JWT recipe](/recipes/issue-jwt-access-tokens/), [OAuth recipe](/recipes/add-oauth-login/), and [refresh-token recipe](/recipes/add-refresh-tokens/). |
| `Identity`, `IdentityManagement`                                                                                           | Identity kinds, normalization, login eligibility, and the opt-in availability/list/add/replace/revoke/primary service. See [Identity Management](/authentication/identity-management/).                                                                                      |
| `Password`, `Passkey`, `PasskeyBrowser`, `PasskeySimpleWebAuthn`                                                           | Password and WebAuthn domain capabilities plus browser and SimpleWebAuthn adapters. See [passkeys with password auth](/recipes/add-passkeys-to-password-auth/).                                                                                                              |
| `AbuseProtection`, `EmailRisk`, `PasswordRisk`                                                                             | Provider-neutral bot, email-acceptance, and breached-password policy contracts. Every service is replaceable with an application `Layer`; default/noop layers require no provider credentials. See [Abuse Protection And Risk Adapters](/authentication/abuse-protection/).  |
| `CloudflareTurnstile`, `HibpPwnedPasswords`, `DisposableEmailDomains`, `IpQualityScore`                                    | Opt-in bounded provider adapters for bot proofs, k-anonymous password ranges, injected pinned domain data, and facts-only IP reputation.                                                                                                                                     |
| `EmailAuth`, `EmailOtp`, `EmailVerification`, `MagicLink`, `Mailer`                                                        | Email authentication, challenges, verification, links, and delivery contracts.                                                                                                                                                                                               |
| `Sessions`, `StepUp`, `StrongFactor`, `Totp`, `RecoveryCode`, `TrustedDevice`                                              | Evidence-backed sessions, MFA factors, local assurance gates, constrained recovery, and trusted-device state. See the [MFA recipe](/recipes/require-mfa-after-password/) and [step-up recipe](/recipes/protect-sensitive-action-with-step-up/).                              |
| `AuthConfig`, `AuthFlow`, `AuthKernel`, `AuthRateLimit`, `Challenge`, `Crypto`, `Identifiers`                              | Core configuration, orchestration, security, challenges, cryptography, and branded identifiers. See [Configuration](/reference/configuration/).                                                                                                                              |
| `AuditLog`, `IncidentAction`, `LoginApproval`, `LoginNotification`, `LoginRisk`, `LoginRiskEnrichment`, `SecurityTimeline` | Audit, incident, approval, notification, risk, enrichment, and timeline capabilities. See [Security Operations](/reference/security-operations/).                                                                                                                            |
| `DomainVerification`, `Guard`, `Permission`, `Policy`, `Privacy`, `RateLimiter`, `Retention`, `Webhook`                    | Authorization and operational policy boundaries, including scoped grants and CAS-protected permission/role definition administration.                                                                                                                                        |

## HTTP and client [#http-and-client]

| Public subpath                                                                                                     | Responsibility                                                                                                                                                                                                                                                                                                                                                                           |
| ------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `HttpApi`                                                                                                          | Shared HTTP infrastructure and cross-feature composition, including `CoreAuthHttpApiLive`, middleware, common schemas/errors, grouped guards, and `withHttpAudit` request batching. Existing feature re-exports remain available for compatibility, but focused paths are canonical. See [HTTP Operations](/reference/http-operations/) and [Custom Auth API](/guides/custom-auth-api/). |
| `HttpApi/Session`, `HttpApi/EmailVerification`, `HttpApi/EmailOtp`, `HttpApi/EmailAuth`, `HttpApi/MagicLink`       | Focused primary-authentication and session contracts, endpoint values, operation services/layers, helpers, and existing group bindings or presets.                                                                                                                                                                                                                                       |
| `HttpApi/Password`                                                                                                 | Focused password contracts, endpoints, operation service/layer, advanced handler factories, guards, and standalone `PasswordHttpApiLive`. It does not load the aggregate server API implementation.                                                                                                                                                                                      |
| `HttpApi/LoginApproval`, `HttpApi/LoginNotification`, `HttpApi/Passkey`, `HttpApi/Identity`                        | Focused approval, security-reporting, passkey, and identity HTTP APIs.                                                                                                                                                                                                                                                                                                                   |
| `HttpApi/Totp`, `HttpApi/RecoveryCodes`, `HttpApi/Mfa`, `HttpApi/StepUp`                                           | Focused factor-management, MFA, and step-up HTTP APIs.                                                                                                                                                                                                                                                                                                                                   |
| `HttpApi/OAuth`, `HttpApi/OAuthProviderAuthorization`, `HttpApi/OAuthToken`                                        | Focused OAuth client flow, provider authorization endpoint, and OAuth token protocol APIs.                                                                                                                                                                                                                                                                                               |
| `HttpApi/ApiKey`, `HttpApi/RefreshToken`, `HttpApi/Jwt`, `HttpApi/JwtDiscovery`, `HttpApi/OidcDiscovery`           | Focused credential, token, JWT, JWKS, and OIDC discovery APIs.                                                                                                                                                                                                                                                                                                                           |
| `HttpApi/AdminSession`, `HttpApi/AdminPermissionDefinition`                                                        | Focused administration APIs, including application-owned authorization contracts and standalone presets.                                                                                                                                                                                                                                                                                 |
| `HttpApi/SecurityTimeline`, `HttpApi/AdminSecurityTimeline`, `HttpApi/TrustedDevice`, `HttpApi/AdminTrustedDevice` | Focused user/admin security history and trusted-device APIs.                                                                                                                                                                                                                                                                                                                             |
| `Client`                                                                                                           | Browser-safe clients for the standard HTTP contracts, including standalone identity and permission-definition administration clients and unified `auth.identities`. It imports shared schemas and client API contracts without loading server handlers. See [Browser Client](/clients/browser-client/).                                                                                  |

Import feature contracts and operations from `HttpApi/<Feature>`. The broad `HttpApi` path is for shared HTTP infrastructure and aggregate composition, not the canonical feature import path. Handler factories remain absent from that aggregate. The focused `HttpApi/Password` entry exposes password handler factories as an advanced boundary, while most applications should use `PasswordHttpApiLive` or bind a `PasswordHttpOperations` method in an application-owned API. Calling domain primitives directly moves transport, authorization, error mapping, auditing, and session consequences to the application; the [architecture guide](/concepts/architecture/) defines that ownership boundary.

## Storage and runtime [#storage-and-runtime]

| Public subpaths                                                                                                 | Responsibility                                                                                                                              |
| --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `Storage`, `StorageMigrations`                                                                                  | Storage contracts and migration discovery/application. See [Storage](/reference/storage/) and [Custom Database](/storage/custom-database/). |
| `EffectQbSqliteStorage`                                                                                         | Effect-QB SQLite storage implementation.                                                                                                    |
| `DrizzleD1SqliteStorage`, `DrizzleDurableObjectSqliteStorage`                                                   | Drizzle adapters for Cloudflare D1 and Durable Object SQLite.                                                                               |
| `DrizzleBunSqliteStorage`, `DrizzleEffectSqliteStorage`, `DrizzleNodeSqliteStorage`, `DrizzleWasmSqliteStorage` | Drizzle adapters for Bun, Effect SQL, Node, and WASM SQLite runtimes. See [SQLite storage](/storage/sqlite/).                               |
| `WaitUntil`                                                                                                     | Runtime capability for deferring background work.                                                                                           |

`effect` is the required peer. Database integrations are opt-in: `drizzle-orm`, `effect-qb`, and the matching `@effect/sql-d1` or `@effect/sql-sqlite-*` package are optional peers. Install only the peer dependencies required by the adapter you import; an optional declaration does not make that adapter work without its backend package.

## Cloudflare and Alchemy [#cloudflare-and-alchemy]

| Public subpaths                                                                    | Responsibility                                                                                                                                                                        |
| ---------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `CloudflareEmail`, `CloudflareRateLimitDurableObject`, `CloudflareRequestMetadata` | Cloudflare runtime adapters for email, Durable Object rate limiting, and trusted `request.cf` coarse request/GeoIP metadata. See [Cloudflare Workers](/runtimes/cloudflare-workers/). |
| `AlchemyCloudflareEmail`, `AlchemyCloudflareRateLimitDurableObject`                | Alchemy-facing Cloudflare resource helpers. See [Alchemy v2](/infrastructure/alchemy/).                                                                                               |

The Cloudflare and Alchemy entries are separate because deployment resources and Worker runtime capabilities have different owners. Both families are available only through named subpaths.

## Testing and metadata [#testing-and-metadata]

| Public subpath | Responsibility                                                                                                                                                      |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `Testing`      | Deterministic crypto/password services and a merged core test layer. These are test-only implementations, not production security. See [Testing](/guides/testing/). |
| `package.json` | Package metadata for tooling that explicitly needs the installed version or manifest.                                                                               |

Treat the export map as the compatibility boundary. A source file being present in the repository does not make it public, and declarations under `dist` are build artifacts rather than supported import paths.

