Security Operations
Reference configurable security policy operations.
Security operations are the stable identifiers passed to AuthRateLimit.require. They select attempt-limiting policy; they are not routes, endpoint names, audit events, or authorization permissions. Standard HTTP Operations invoke the appropriate identifier once before authentication work. See Security Policies for default limits and deployment guidance, and HTTP Operations for the transport services that invoke them.
Operation catalog
AuthRateLimitOperation is the key union of AuthRateLimitStandardRules. Every standard rule is fixed-window unless overridden. The key column identifies the subject supplied by the operation; operations with ip, email apply both rules as one policy.
| Area | Operation IDs | Keys |
|---|---|---|
| Password | auth.password.sign_in, auth.password.sign_up, auth.password.reset_start | ip, email |
| Password | auth.password.reset_verify | ip |
| Email verification | auth.email_verification.start | ip, email |
| Email OTP | auth.email_otp.start / auth.email_otp.verify | ip, email / ip |
| Email and magic link | auth.email.start, auth.magic_link.start | ip, email |
| Magic link | auth.magic_link.verify | ip |
| Passkey registration | auth.passkey.registration_start, auth.passkey.registration_finish | user |
| Passkey authentication | auth.passkey.authentication_start, auth.passkey.authentication_finish | ip |
| Passkey credentials | auth.passkey.credentials.list, auth.passkey.credentials.revoke | user |
| Area | Operation IDs | Keys |
|---|---|---|
| TOTP enrollment | auth.totp.enrollment_start, auth.totp.enrollment_confirm | user |
| TOTP use and factors | auth.totp.verify, auth.totp.factors.list, auth.totp.factors.revoke | user |
| Recovery codes | auth.recovery_code.generate, auth.recovery_code.regenerate, auth.recovery_code.verify, auth.recovery_code.list, auth.recovery_code.revoke | user |
| MFA discovery | auth.mfa.options | ip |
| MFA TOTP | auth.mfa.totp_verify, auth.mfa.totp_verify_for_flow | ip |
| MFA recovery code | auth.mfa.recovery_code_verify, auth.mfa.recovery_code_verify_for_flow | ip |
| MFA passkey | auth.mfa.passkey_start, auth.mfa.passkey_verify | ip |
| Step-up discovery | auth.step_up.options | user |
| Step-up verification | auth.step_up.totp_verify, auth.step_up.password_verify, auth.step_up.recovery_code_verify | user |
| Step-up passkey | auth.step_up.passkey_start, auth.step_up.passkey_verify | user |
The rule id defaults to the operation ID plus .ip, .email, or .user. It identifies the persisted counter independently of the operation selector. Consult AuthRateLimitStandardRules for the authoritative limits, windows, and exact rule IDs; the summarized defaults are in Security Policies.
Overrides
Pass an AuthRateLimitConfig to AuthRateLimitStandardLive(config). An omitted property preserves that operation's defaults. A rule array replaces the complete default array rather than merging with it; an empty array therefore performs no checks. null explicitly disables the operation. AuthRateLimitNoopLive disables all operations and should be reserved for tests or a deliberate replacement boundary.
import { AuthRateLimitStandardLive } from "@effect-auth/core/AuthRateLimit";
import { Duration } from "effect";
const SecurityLive = AuthRateLimitStandardLive({
"auth.password.sign_in": [
{
id: "app.password.sign_in.ip",
key: "ip",
limit: 8,
window: Duration.minutes(15),
algorithm: "fixed-window",
},
],
"auth.magic_link.verify": null,
});Rules accept key: "ip" | "email" | "user", limit, window, optional algorithm: "fixed-window" | "token-bucket", and optional tokens. Missing email or user context fails closed with RateLimitStoreError; missing IP uses a stable missing-IP bucket. Do not wrap a standard HTTP Operation in a second AuthRateLimit.require, because that consumes the budget twice.
Supporting boundaries
| Boundary | Responsibility |
|---|---|
RateLimiter | Consumes composed RateLimitPolicy rules. RateLimiterLive uses Effect persistence; RateLimiterMemoryLive is process-local. RateLimitPolicy, RateLimitKey, consume, require, and withRateLimit support application-owned policies. |
Privacy | PrivacyLive normalizes and HMAC-hashes email, IP, and user-agent values before limiter storage. PrivacyTestLive is deterministic and test-only. User keys use internal UserId. |
| Origin | AuthOriginCheckMiddleware checks unsafe methods against same-origin or allowedOrigins, preferring Origin then Referer. allowMissingOrigin defaults to true for non-browser clients. AuthOriginCheckMiddlewareLive and AuthOriginCheckMiddlewareConfigLive provide it. |
| CSRF | AuthCsrfMiddleware is a separate double-submit cookie/header primitive, provided by AuthCsrfMiddlewareLive. Origin checks, CSRF, and CORS solve different problems. |
| Authorization | Guard combinators and StepUp policies protect app resources using session, role, tenant, ownership, assurance, and recency requirements. See App-owned Guards. |
LoginNotificationHttpOperations is unrelated to the operation-ID catalog despite its name. It is the HTTP service imported from @effect-auth/core/HttpApi; its sole reportLogin: LoginNotificationReportOperation method belongs to LoginNotificationHttpApiGroup and reports a login notification. Its exact public exports are LoginNotificationHttpOperationsService, LoginNotificationHttpOperations, LoginNotificationReportOperation, and LoginNotificationHttpOperationsLive. Calling reportLogin neither selects an AuthRateLimitOperation nor grants access to an application resource.
Assurance observability
Assurance transitions have dedicated audit, webhook, and security-timeline summaries. They contain transition type, session/user correlation, previous and derived AAL/AMR, and safe timestamps/status fields. They deliberately omit raw authentication events, credential/factor IDs, accepted TOTP counters, passkey authenticator facts, custom-evidence properties, codes, and session tokens. Build webhooks with the assurance summary helpers rather than serializing a session row or evidence object.
Public exports
| Module | Security exports |
|---|---|
@effect-auth/core/AuthRateLimit | AuthRateLimit, AuthRateLimitStandardRules; types AuthRateLimitOperation, AuthRateLimitRuleKey, AuthRateLimitRule, AuthRateLimitPolicy, AuthRateLimitInput, AuthRateLimitConfig, AuthRateLimitService |
@effect-auth/core/RateLimiter | RateLimiter, RateLimiterLive, RateLimiterMemoryLive, RateLimitPolicy, RateLimitKey, errors and policy/decision/service types |
@effect-auth/core/Privacy | Privacy, PrivacyLive, PrivacyTestLive, makeHmacPrivacy, PrivacyError, and privacy option/service types |
@effect-auth/core/HttpApi | Origin/CSRF middleware, options and live layers; LoginNotificationHttpOperations* and LoginNotificationReportOperation |
@effect-auth/core/Guard, @effect-auth/core/StepUp | Application guard combinators and assurance-policy services, constructors, decisions, and errors |