effect-auth

Security Operations

Reference configurable security policy operations.

Security operations are the stable identifiers passed to AuthRateLimit.require. They select attempt-limiting policy; they are not routes, endpoint names, audit events, or authorization permissions. Standard HTTP Operations invoke the appropriate identifier once before authentication work. See Security Policies for default limits and deployment guidance, and HTTP Operations for the transport services that invoke them.

Operation catalog

AuthRateLimitOperation is the key union of AuthRateLimitStandardRules. Every standard rule is fixed-window unless overridden. The key column identifies the subject supplied by the operation; operations with ip, email apply both rules as one policy.

AreaOperation IDsKeys
Passwordauth.password.sign_in, auth.password.sign_up, auth.password.reset_startip, email
Passwordauth.password.reset_verifyip
Email verificationauth.email_verification.startip, email
Email OTPauth.email_otp.start / auth.email_otp.verifyip, email / ip
Email and magic linkauth.email.start, auth.magic_link.startip, email
Magic linkauth.magic_link.verifyip
Passkey registrationauth.passkey.registration_start, auth.passkey.registration_finishuser
Passkey authenticationauth.passkey.authentication_start, auth.passkey.authentication_finiship
Passkey credentialsauth.passkey.credentials.list, auth.passkey.credentials.revokeuser
AreaOperation IDsKeys
TOTP enrollmentauth.totp.enrollment_start, auth.totp.enrollment_confirmuser
TOTP use and factorsauth.totp.verify, auth.totp.factors.list, auth.totp.factors.revokeuser
Recovery codesauth.recovery_code.generate, auth.recovery_code.regenerate, auth.recovery_code.verify, auth.recovery_code.list, auth.recovery_code.revokeuser
MFA discoveryauth.mfa.optionsip
MFA TOTPauth.mfa.totp_verify, auth.mfa.totp_verify_for_flowip
MFA recovery codeauth.mfa.recovery_code_verify, auth.mfa.recovery_code_verify_for_flowip
MFA passkeyauth.mfa.passkey_start, auth.mfa.passkey_verifyip
Step-up discoveryauth.step_up.optionsuser
Step-up verificationauth.step_up.totp_verify, auth.step_up.password_verify, auth.step_up.recovery_code_verifyuser
Step-up passkeyauth.step_up.passkey_start, auth.step_up.passkey_verifyuser

The rule id defaults to the operation ID plus .ip, .email, or .user. It identifies the persisted counter independently of the operation selector. Consult AuthRateLimitStandardRules for the authoritative limits, windows, and exact rule IDs; the summarized defaults are in Security Policies.

Overrides

Pass an AuthRateLimitConfig to AuthRateLimitStandardLive(config). An omitted property preserves that operation's defaults. A rule array replaces the complete default array rather than merging with it; an empty array therefore performs no checks. null explicitly disables the operation. AuthRateLimitNoopLive disables all operations and should be reserved for tests or a deliberate replacement boundary.

import { AuthRateLimitStandardLive } from "@effect-auth/core/AuthRateLimit";
import { Duration } from "effect";

const SecurityLive = AuthRateLimitStandardLive({
  "auth.password.sign_in": [
    {
      id: "app.password.sign_in.ip",
      key: "ip",
      limit: 8,
      window: Duration.minutes(15),
      algorithm: "fixed-window",
    },
  ],
  "auth.magic_link.verify": null,
});

Rules accept key: "ip" | "email" | "user", limit, window, optional algorithm: "fixed-window" | "token-bucket", and optional tokens. Missing email or user context fails closed with RateLimitStoreError; missing IP uses a stable missing-IP bucket. Do not wrap a standard HTTP Operation in a second AuthRateLimit.require, because that consumes the budget twice.

Supporting boundaries

BoundaryResponsibility
RateLimiterConsumes composed RateLimitPolicy rules. RateLimiterLive uses Effect persistence; RateLimiterMemoryLive is process-local. RateLimitPolicy, RateLimitKey, consume, require, and withRateLimit support application-owned policies.
PrivacyPrivacyLive normalizes and HMAC-hashes email, IP, and user-agent values before limiter storage. PrivacyTestLive is deterministic and test-only. User keys use internal UserId.
OriginAuthOriginCheckMiddleware checks unsafe methods against same-origin or allowedOrigins, preferring Origin then Referer. allowMissingOrigin defaults to true for non-browser clients. AuthOriginCheckMiddlewareLive and AuthOriginCheckMiddlewareConfigLive provide it.
CSRFAuthCsrfMiddleware is a separate double-submit cookie/header primitive, provided by AuthCsrfMiddlewareLive. Origin checks, CSRF, and CORS solve different problems.
AuthorizationGuard combinators and StepUp policies protect app resources using session, role, tenant, ownership, assurance, and recency requirements. See App-owned Guards.

LoginNotificationHttpOperations is unrelated to the operation-ID catalog despite its name. It is the HTTP service imported from @effect-auth/core/HttpApi; its sole reportLogin: LoginNotificationReportOperation method belongs to LoginNotificationHttpApiGroup and reports a login notification. Its exact public exports are LoginNotificationHttpOperationsService, LoginNotificationHttpOperations, LoginNotificationReportOperation, and LoginNotificationHttpOperationsLive. Calling reportLogin neither selects an AuthRateLimitOperation nor grants access to an application resource.

Assurance observability

Assurance transitions have dedicated audit, webhook, and security-timeline summaries. They contain transition type, session/user correlation, previous and derived AAL/AMR, and safe timestamps/status fields. They deliberately omit raw authentication events, credential/factor IDs, accepted TOTP counters, passkey authenticator facts, custom-evidence properties, codes, and session tokens. Build webhooks with the assurance summary helpers rather than serializing a session row or evidence object.

Public exports

ModuleSecurity exports
@effect-auth/core/AuthRateLimitAuthRateLimit, AuthRateLimitStandardRules; types AuthRateLimitOperation, AuthRateLimitRuleKey, AuthRateLimitRule, AuthRateLimitPolicy, AuthRateLimitInput, AuthRateLimitConfig, AuthRateLimitService
@effect-auth/core/RateLimiterRateLimiter, RateLimiterLive, RateLimiterMemoryLive, RateLimitPolicy, RateLimitKey, errors and policy/decision/service types
@effect-auth/core/PrivacyPrivacy, PrivacyLive, PrivacyTestLive, makeHmacPrivacy, PrivacyError, and privacy option/service types
@effect-auth/core/HttpApiOrigin/CSRF middleware, options and live layers; LoginNotificationHttpOperations* and LoginNotificationReportOperation
@effect-auth/core/Guard, @effect-auth/core/StepUpApplication guard combinators and assurance-policy services, constructors, decisions, and errors

On this page