Package Exports
Reference the public @effect-auth/core package entry points and import boundaries.
@effect-auth/core is currently published as 0.1.0-alpha.17. That version is an alpha identifier, not a promise that every entry point or contract is stable. The package is ESM-only and exposes a metadata-only root entry, named feature subpaths, and package.json through its exports map.
Export policy
The root entry exports only package metadata:
import { packageName } from "@effect-auth/core";Use a named subpath for every feature API:
import { PasswordLogin } from "@effect-auth/core/Password";
import { PasswordHttpOperationsLive } from "@effect-auth/core/HttpApi/Password";
import { SessionHttpOperations } from "@effect-auth/core/HttpApi/Session";The package declares sideEffects: false, so bundlers may tree-shake unused ESM exports. Explicit subpaths also keep browser, server, database, Cloudflare, and test boundaries visible during tooling and development. Do not import @effect-auth/core/src/*, dist/*, or unexported implementation files: only paths in the tables below are public package entry points.
Domain and authentication
These modules contain domain services, schemas, policies, stores, feature layers, and supporting capabilities. See Architecture, Primitives, Sessions, and Security Policies for how they compose.
| Public subpaths | Responsibility |
|---|---|
Assurance | Versioned built-in/custom evidence, local tier derivation, canonical AMR, freshness lookup, compaction, and the versioned custom-policy registry. Raw evidence is a server-only domain/storage concern. |
ApiKey, Jwt, MachineAuth, OAuth, RefreshToken | Machine credentials, token lifecycles, and federation. See the API-key recipe, JWT recipe, OAuth recipe, and refresh-token recipe. |
Identity, IdentityManagement | Identity kinds, normalization, login eligibility, and the opt-in availability/list/add/replace/revoke/primary service. See Identity Management. |
Password, Passkey, PasskeyBrowser, PasskeySimpleWebAuthn | Password and WebAuthn domain capabilities plus browser and SimpleWebAuthn adapters. See passkeys with password auth. |
AbuseProtection, EmailRisk, PasswordRisk | Provider-neutral bot, email-acceptance, and breached-password policy contracts. Every service is replaceable with an application Layer; default/noop layers require no provider credentials. See Abuse Protection And Risk Adapters. |
CloudflareTurnstile, HibpPwnedPasswords, DisposableEmailDomains, IpQualityScore | Opt-in bounded provider adapters for bot proofs, k-anonymous password ranges, injected pinned domain data, and facts-only IP reputation. |
EmailAuth, EmailOtp, EmailVerification, MagicLink, Mailer | Email authentication, challenges, verification, links, and delivery contracts. |
Sessions, StepUp, StrongFactor, Totp, RecoveryCode, TrustedDevice | Evidence-backed sessions, MFA factors, local assurance gates, constrained recovery, and trusted-device state. See the MFA recipe and step-up recipe. |
AuthConfig, AuthFlow, AuthKernel, AuthRateLimit, Challenge, Crypto, Identifiers | Core configuration, orchestration, security, challenges, cryptography, and branded identifiers. See Configuration. |
AuditLog, IncidentAction, LoginApproval, LoginNotification, LoginRisk, LoginRiskEnrichment, SecurityTimeline | Audit, incident, approval, notification, risk, enrichment, and timeline capabilities. See Security Operations. |
DomainVerification, Guard, Permission, Policy, Privacy, RateLimiter, Retention, Webhook | Authorization and operational policy boundaries, including scoped grants and CAS-protected permission/role definition administration. |
HTTP and client
| Public subpath | Responsibility |
|---|---|
HttpApi | Shared HTTP infrastructure and cross-feature composition, including CoreAuthHttpApiLive, middleware, common schemas/errors, grouped guards, and withHttpAudit request batching. Existing feature re-exports remain available for compatibility, but focused paths are canonical. See HTTP Operations and Custom Auth API. |
HttpApi/Session, HttpApi/EmailVerification, HttpApi/EmailOtp, HttpApi/EmailAuth, HttpApi/MagicLink | Focused primary-authentication and session contracts, endpoint values, operation services/layers, helpers, and existing group bindings or presets. |
HttpApi/Password | Focused password contracts, endpoints, operation service/layer, advanced handler factories, guards, and standalone PasswordHttpApiLive. It does not load the aggregate server API implementation. |
HttpApi/LoginApproval, HttpApi/LoginNotification, HttpApi/Passkey, HttpApi/Identity | Focused approval, security-reporting, passkey, and identity HTTP APIs. |
HttpApi/Totp, HttpApi/RecoveryCodes, HttpApi/Mfa, HttpApi/StepUp | Focused factor-management, MFA, and step-up HTTP APIs. |
HttpApi/OAuth, HttpApi/OAuthProviderAuthorization, HttpApi/OAuthToken | Focused OAuth client flow, provider authorization endpoint, and OAuth token protocol APIs. |
HttpApi/ApiKey, HttpApi/RefreshToken, HttpApi/Jwt, HttpApi/JwtDiscovery, HttpApi/OidcDiscovery | Focused credential, token, JWT, JWKS, and OIDC discovery APIs. |
HttpApi/AdminSession, HttpApi/AdminPermissionDefinition | Focused administration APIs, including application-owned authorization contracts and standalone presets. |
HttpApi/SecurityTimeline, HttpApi/AdminSecurityTimeline, HttpApi/TrustedDevice, HttpApi/AdminTrustedDevice | Focused user/admin security history and trusted-device APIs. |
Client | Browser-safe clients for the standard HTTP contracts, including standalone identity and permission-definition administration clients and unified auth.identities. It imports shared schemas and client API contracts without loading server handlers. See Browser Client. |
Import feature contracts and operations from HttpApi/<Feature>. The broad HttpApi path is for shared HTTP infrastructure and aggregate composition, not the canonical feature import path. Handler factories remain absent from that aggregate. The focused HttpApi/Password entry exposes password handler factories as an advanced boundary, while most applications should use PasswordHttpApiLive or bind a PasswordHttpOperations method in an application-owned API. Calling domain primitives directly moves transport, authorization, error mapping, auditing, and session consequences to the application; the architecture guide defines that ownership boundary.
Storage and runtime
| Public subpaths | Responsibility |
|---|---|
Storage, StorageMigrations | Storage contracts and migration discovery/application. See Storage and Custom Database. |
EffectQbSqliteStorage | Effect-QB SQLite storage implementation. |
DrizzleD1SqliteStorage, DrizzleDurableObjectSqliteStorage | Drizzle adapters for Cloudflare D1 and Durable Object SQLite. |
DrizzleBunSqliteStorage, DrizzleEffectSqliteStorage, DrizzleNodeSqliteStorage, DrizzleWasmSqliteStorage | Drizzle adapters for Bun, Effect SQL, Node, and WASM SQLite runtimes. See SQLite storage. |
WaitUntil | Runtime capability for deferring background work. |
effect is the required peer. Database integrations are opt-in: drizzle-orm, effect-qb, and the matching @effect/sql-d1 or @effect/sql-sqlite-* package are optional peers. Install only the peer dependencies required by the adapter you import; an optional declaration does not make that adapter work without its backend package.
Cloudflare and Alchemy
| Public subpaths | Responsibility |
|---|---|
CloudflareEmail, CloudflareRateLimitDurableObject, CloudflareRequestMetadata | Cloudflare runtime adapters for email, Durable Object rate limiting, and trusted request.cf coarse request/GeoIP metadata. See Cloudflare Workers. |
AlchemyCloudflareEmail, AlchemyCloudflareRateLimitDurableObject | Alchemy-facing Cloudflare resource helpers. See Alchemy v2. |
The Cloudflare and Alchemy entries are separate because deployment resources and Worker runtime capabilities have different owners. Both families are available only through named subpaths.
Testing and metadata
| Public subpath | Responsibility |
|---|---|
Testing | Deterministic crypto/password services and a merged core test layer. These are test-only implementations, not production security. See Testing. |
package.json | Package metadata for tooling that explicitly needs the installed version or manifest. |
Treat the export map as the compatibility boundary. A source file being present in the repository does not make it public, and declarations under dist are build artifacts rather than supported import paths.