effect-auth

Package Exports

Reference the public @effect-auth/core package entry points and import boundaries.

@effect-auth/core is currently published as 0.1.0-alpha.17. That version is an alpha identifier, not a promise that every entry point or contract is stable. The package is ESM-only and exposes a metadata-only root entry, named feature subpaths, and package.json through its exports map.

Export policy

The root entry exports only package metadata:

import { packageName } from "@effect-auth/core";

Use a named subpath for every feature API:

import { PasswordLogin } from "@effect-auth/core/Password";
import { PasswordHttpOperationsLive } from "@effect-auth/core/HttpApi/Password";
import { SessionHttpOperations } from "@effect-auth/core/HttpApi/Session";

The package declares sideEffects: false, so bundlers may tree-shake unused ESM exports. Explicit subpaths also keep browser, server, database, Cloudflare, and test boundaries visible during tooling and development. Do not import @effect-auth/core/src/*, dist/*, or unexported implementation files: only paths in the tables below are public package entry points.

Domain and authentication

These modules contain domain services, schemas, policies, stores, feature layers, and supporting capabilities. See Architecture, Primitives, Sessions, and Security Policies for how they compose.

Public subpathsResponsibility
AssuranceVersioned built-in/custom evidence, local tier derivation, canonical AMR, freshness lookup, compaction, and the versioned custom-policy registry. Raw evidence is a server-only domain/storage concern.
ApiKey, Jwt, MachineAuth, OAuth, RefreshTokenMachine credentials, token lifecycles, and federation. See the API-key recipe, JWT recipe, OAuth recipe, and refresh-token recipe.
Identity, IdentityManagementIdentity kinds, normalization, login eligibility, and the opt-in availability/list/add/replace/revoke/primary service. See Identity Management.
Password, Passkey, PasskeyBrowser, PasskeySimpleWebAuthnPassword and WebAuthn domain capabilities plus browser and SimpleWebAuthn adapters. See passkeys with password auth.
AbuseProtection, EmailRisk, PasswordRiskProvider-neutral bot, email-acceptance, and breached-password policy contracts. Every service is replaceable with an application Layer; default/noop layers require no provider credentials. See Abuse Protection And Risk Adapters.
CloudflareTurnstile, HibpPwnedPasswords, DisposableEmailDomains, IpQualityScoreOpt-in bounded provider adapters for bot proofs, k-anonymous password ranges, injected pinned domain data, and facts-only IP reputation.
EmailAuth, EmailOtp, EmailVerification, MagicLink, MailerEmail authentication, challenges, verification, links, and delivery contracts.
Sessions, StepUp, StrongFactor, Totp, RecoveryCode, TrustedDeviceEvidence-backed sessions, MFA factors, local assurance gates, constrained recovery, and trusted-device state. See the MFA recipe and step-up recipe.
AuthConfig, AuthFlow, AuthKernel, AuthRateLimit, Challenge, Crypto, IdentifiersCore configuration, orchestration, security, challenges, cryptography, and branded identifiers. See Configuration.
AuditLog, IncidentAction, LoginApproval, LoginNotification, LoginRisk, LoginRiskEnrichment, SecurityTimelineAudit, incident, approval, notification, risk, enrichment, and timeline capabilities. See Security Operations.
DomainVerification, Guard, Permission, Policy, Privacy, RateLimiter, Retention, WebhookAuthorization and operational policy boundaries, including scoped grants and CAS-protected permission/role definition administration.

HTTP and client

Public subpathResponsibility
HttpApiShared HTTP infrastructure and cross-feature composition, including CoreAuthHttpApiLive, middleware, common schemas/errors, grouped guards, and withHttpAudit request batching. Existing feature re-exports remain available for compatibility, but focused paths are canonical. See HTTP Operations and Custom Auth API.
HttpApi/Session, HttpApi/EmailVerification, HttpApi/EmailOtp, HttpApi/EmailAuth, HttpApi/MagicLinkFocused primary-authentication and session contracts, endpoint values, operation services/layers, helpers, and existing group bindings or presets.
HttpApi/PasswordFocused password contracts, endpoints, operation service/layer, advanced handler factories, guards, and standalone PasswordHttpApiLive. It does not load the aggregate server API implementation.
HttpApi/LoginApproval, HttpApi/LoginNotification, HttpApi/Passkey, HttpApi/IdentityFocused approval, security-reporting, passkey, and identity HTTP APIs.
HttpApi/Totp, HttpApi/RecoveryCodes, HttpApi/Mfa, HttpApi/StepUpFocused factor-management, MFA, and step-up HTTP APIs.
HttpApi/OAuth, HttpApi/OAuthProviderAuthorization, HttpApi/OAuthTokenFocused OAuth client flow, provider authorization endpoint, and OAuth token protocol APIs.
HttpApi/ApiKey, HttpApi/RefreshToken, HttpApi/Jwt, HttpApi/JwtDiscovery, HttpApi/OidcDiscoveryFocused credential, token, JWT, JWKS, and OIDC discovery APIs.
HttpApi/AdminSession, HttpApi/AdminPermissionDefinitionFocused administration APIs, including application-owned authorization contracts and standalone presets.
HttpApi/SecurityTimeline, HttpApi/AdminSecurityTimeline, HttpApi/TrustedDevice, HttpApi/AdminTrustedDeviceFocused user/admin security history and trusted-device APIs.
ClientBrowser-safe clients for the standard HTTP contracts, including standalone identity and permission-definition administration clients and unified auth.identities. It imports shared schemas and client API contracts without loading server handlers. See Browser Client.

Import feature contracts and operations from HttpApi/<Feature>. The broad HttpApi path is for shared HTTP infrastructure and aggregate composition, not the canonical feature import path. Handler factories remain absent from that aggregate. The focused HttpApi/Password entry exposes password handler factories as an advanced boundary, while most applications should use PasswordHttpApiLive or bind a PasswordHttpOperations method in an application-owned API. Calling domain primitives directly moves transport, authorization, error mapping, auditing, and session consequences to the application; the architecture guide defines that ownership boundary.

Storage and runtime

Public subpathsResponsibility
Storage, StorageMigrationsStorage contracts and migration discovery/application. See Storage and Custom Database.
EffectQbSqliteStorageEffect-QB SQLite storage implementation.
DrizzleD1SqliteStorage, DrizzleDurableObjectSqliteStorageDrizzle adapters for Cloudflare D1 and Durable Object SQLite.
DrizzleBunSqliteStorage, DrizzleEffectSqliteStorage, DrizzleNodeSqliteStorage, DrizzleWasmSqliteStorageDrizzle adapters for Bun, Effect SQL, Node, and WASM SQLite runtimes. See SQLite storage.
WaitUntilRuntime capability for deferring background work.

effect is the required peer. Database integrations are opt-in: drizzle-orm, effect-qb, and the matching @effect/sql-d1 or @effect/sql-sqlite-* package are optional peers. Install only the peer dependencies required by the adapter you import; an optional declaration does not make that adapter work without its backend package.

Cloudflare and Alchemy

Public subpathsResponsibility
CloudflareEmail, CloudflareRateLimitDurableObject, CloudflareRequestMetadataCloudflare runtime adapters for email, Durable Object rate limiting, and trusted request.cf coarse request/GeoIP metadata. See Cloudflare Workers.
AlchemyCloudflareEmail, AlchemyCloudflareRateLimitDurableObjectAlchemy-facing Cloudflare resource helpers. See Alchemy v2.

The Cloudflare and Alchemy entries are separate because deployment resources and Worker runtime capabilities have different owners. Both families are available only through named subpaths.

Testing and metadata

Public subpathResponsibility
TestingDeterministic crypto/password services and a merged core test layer. These are test-only implementations, not production security. See Testing.
package.jsonPackage metadata for tooling that explicitly needs the installed version or manifest.

Treat the export map as the compatibility boundary. A source file being present in the repository does not make it public, and declarations under dist are build artifacts rather than supported import paths.

On this page