---
title: "Security Operations"
url: "https://effect-auth.itsbroly.com/reference/security-operations/"
description: "Reference configurable security policy operations."
---



Security operations are the stable identifiers passed to `AuthRateLimit.require`. They select attempt-limiting policy; they are not routes, endpoint names, audit events, or authorization permissions. Standard HTTP Operations invoke the appropriate identifier once before authentication work. See [Security Policies](/concepts/security-policies/) for default limits and deployment guidance, and [HTTP Operations](/reference/http-operations/) for the transport services that invoke them.

## Operation catalog [#operation-catalog]

`AuthRateLimitOperation` is the key union of `AuthRateLimitStandardRules`. Every standard rule is fixed-window unless overridden. The key column identifies the subject supplied by the operation; operations with `ip, email` apply both rules as one policy.

| Area                   | Operation IDs                                                                 | Keys           |
| ---------------------- | ----------------------------------------------------------------------------- | -------------- |
| Password               | `auth.password.sign_in`, `auth.password.sign_up`, `auth.password.reset_start` | ip, email      |
| Password               | `auth.password.reset_verify`                                                  | ip             |
| Email verification     | `auth.email_verification.start`                                               | ip, email      |
| Email OTP              | `auth.email_otp.start` / `auth.email_otp.verify`                              | ip, email / ip |
| Email and magic link   | `auth.email.start`, `auth.magic_link.start`                                   | ip, email      |
| Magic link             | `auth.magic_link.verify`                                                      | ip             |
| Passkey registration   | `auth.passkey.registration_start`, `auth.passkey.registration_finish`         | user           |
| Passkey authentication | `auth.passkey.authentication_start`, `auth.passkey.authentication_finish`     | ip             |
| Passkey credentials    | `auth.passkey.credentials.list`, `auth.passkey.credentials.revoke`            | user           |

| Area                 | Operation IDs                                                                                                                                       | Keys |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
| TOTP enrollment      | `auth.totp.enrollment_start`, `auth.totp.enrollment_confirm`                                                                                        | user |
| TOTP use and factors | `auth.totp.verify`, `auth.totp.factors.list`, `auth.totp.factors.revoke`                                                                            | user |
| Recovery codes       | `auth.recovery_code.generate`, `auth.recovery_code.regenerate`, `auth.recovery_code.verify`, `auth.recovery_code.list`, `auth.recovery_code.revoke` | user |
| MFA discovery        | `auth.mfa.options`                                                                                                                                  | ip   |
| MFA TOTP             | `auth.mfa.totp_verify`, `auth.mfa.totp_verify_for_flow`                                                                                             | ip   |
| MFA recovery code    | `auth.mfa.recovery_code_verify`, `auth.mfa.recovery_code_verify_for_flow`                                                                           | ip   |
| MFA passkey          | `auth.mfa.passkey_start`, `auth.mfa.passkey_verify`                                                                                                 | ip   |
| Step-up discovery    | `auth.step_up.options`                                                                                                                              | user |
| Step-up verification | `auth.step_up.totp_verify`, `auth.step_up.password_verify`, `auth.step_up.recovery_code_verify`                                                     | user |
| Step-up passkey      | `auth.step_up.passkey_start`, `auth.step_up.passkey_verify`                                                                                         | user |

The rule `id` defaults to the operation ID plus `.ip`, `.email`, or `.user`. It identifies the persisted counter independently of the operation selector. Consult `AuthRateLimitStandardRules` for the authoritative limits, windows, and exact rule IDs; the summarized defaults are in [Security Policies](/concepts/security-policies/#standard-policy).

## Overrides [#overrides]

Pass an `AuthRateLimitConfig` to `AuthRateLimitStandardLive(config)`. An omitted property preserves that operation's defaults. A rule array replaces the complete default array rather than merging with it; an empty array therefore performs no checks. `null` explicitly disables the operation. `AuthRateLimitNoopLive` disables all operations and should be reserved for tests or a deliberate replacement boundary.

```ts
import { AuthRateLimitStandardLive } from "@effect-auth/core/AuthRateLimit";
import { Duration } from "effect";

const SecurityLive = AuthRateLimitStandardLive({
  "auth.password.sign_in": [
    {
      id: "app.password.sign_in.ip",
      key: "ip",
      limit: 8,
      window: Duration.minutes(15),
      algorithm: "fixed-window",
    },
  ],
  "auth.magic_link.verify": null,
});
```

Rules accept `key: "ip" | "email" | "user"`, `limit`, `window`, optional `algorithm: "fixed-window" | "token-bucket"`, and optional `tokens`. Missing email or user context fails closed with `RateLimitStoreError`; missing IP uses a stable missing-IP bucket. Do not wrap a standard HTTP Operation in a second `AuthRateLimit.require`, because that consumes the budget twice.

## Supporting boundaries [#supporting-boundaries]

| Boundary      | Responsibility                                                                                                                                                                                                                                                                      |
| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `RateLimiter` | Consumes composed `RateLimitPolicy` rules. `RateLimiterLive` uses Effect persistence; `RateLimiterMemoryLive` is process-local. `RateLimitPolicy`, `RateLimitKey`, `consume`, `require`, and `withRateLimit` support application-owned policies.                                    |
| `Privacy`     | `PrivacyLive` normalizes and HMAC-hashes email, IP, and user-agent values before limiter storage. `PrivacyTestLive` is deterministic and test-only. User keys use internal `UserId`.                                                                                                |
| Origin        | `AuthOriginCheckMiddleware` checks unsafe methods against same-origin or `allowedOrigins`, preferring `Origin` then `Referer`. `allowMissingOrigin` defaults to true for non-browser clients. `AuthOriginCheckMiddlewareLive` and `AuthOriginCheckMiddlewareConfigLive` provide it. |
| CSRF          | `AuthCsrfMiddleware` is a separate double-submit cookie/header primitive, provided by `AuthCsrfMiddlewareLive`. Origin checks, CSRF, and CORS solve different problems.                                                                                                             |
| Authorization | `Guard` combinators and `StepUp` policies protect app resources using session, role, tenant, ownership, assurance, and recency requirements. See [App-owned Guards](/guides/app-owned-guards/).                                                                                     |

`LoginNotificationHttpOperations` is unrelated to the operation-ID catalog despite its name. It is the HTTP service imported from `@effect-auth/core/HttpApi`; its sole `reportLogin: LoginNotificationReportOperation` method belongs to `LoginNotificationHttpApiGroup` and reports a login notification. Its exact public exports are `LoginNotificationHttpOperationsService`, `LoginNotificationHttpOperations`, `LoginNotificationReportOperation`, and `LoginNotificationHttpOperationsLive`. Calling `reportLogin` neither selects an `AuthRateLimitOperation` nor grants access to an application resource.

## Assurance observability [#assurance-observability]

Assurance transitions have dedicated audit, webhook, and security-timeline summaries. They contain transition type, session/user correlation, previous and derived AAL/AMR, and safe timestamps/status fields. They deliberately omit raw authentication events, credential/factor IDs, accepted TOTP counters, passkey authenticator facts, custom-evidence properties, codes, and session tokens. Build webhooks with the assurance summary helpers rather than serializing a session row or evidence object.

## Public exports [#public-exports]

| Module                                                | Security exports                                                                                                                                                                                                       |
| ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `@effect-auth/core/AuthRateLimit`                     | `AuthRateLimit`, `AuthRateLimitStandardRules`; types `AuthRateLimitOperation`, `AuthRateLimitRuleKey`, `AuthRateLimitRule`, `AuthRateLimitPolicy`, `AuthRateLimitInput`, `AuthRateLimitConfig`, `AuthRateLimitService` |
| `@effect-auth/core/RateLimiter`                       | `RateLimiter`, `RateLimiterLive`, `RateLimiterMemoryLive`, `RateLimitPolicy`, `RateLimitKey`, errors and policy/decision/service types                                                                                 |
| `@effect-auth/core/Privacy`                           | `Privacy`, `PrivacyLive`, `PrivacyTestLive`, `makeHmacPrivacy`, `PrivacyError`, and privacy option/service types                                                                                                       |
| `@effect-auth/core/HttpApi`                           | Origin/CSRF middleware, options and live layers; `LoginNotificationHttpOperations*` and `LoginNotificationReportOperation`                                                                                             |
| `@effect-auth/core/Guard`, `@effect-auth/core/StepUp` | Application guard combinators and assurance-policy services, constructors, decisions, and errors                                                                                                                       |

