████████╗██╗ ██╗███████╗ █████╗ ██╗ ██╗████████╗██╗ ██╗ ╚══██╔══╝██║ ██║██╔════╝██╔══██╗██║ ██║╚══██╔══╝██║ ██║ ██║ ███████║█████╗ ███████║██║ ██║ ██║ ███████║ ██║ ██╔══██║██╔══╝ ██╔══██║██║ ██║ ██║ ██╔══██║ ██║ ██║ ██║███████╗██║ ██║╚██████╔╝ ██║ ██║ ██║ ╚═╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
by GLINR STUDIOS · a GLINCKER LLC project
Quickstart · Docs · Examples · Discussions · TheAuth Cloud
npm install @glinr/theauth
# or
pnpm add @glinr/theauth
# or
yarn add @glinr/theauthimport { createKavach } from "@glinr/theauth";
import { emailPassword, passkey } from "@glinr/theauth/auth";
import { createHonoAdapter } from "@glinr/theauth-hono";
const kavach = createKavach({
database: { provider: "postgres", url: process.env.DATABASE_URL },
plugins: [emailPassword(), passkey()],
});
const app = new Hono();
app.route("/api/auth", createHonoAdapter(kavach));
// Create an AI agent with scoped MCP permissions
const agent = await kavach.agent.create({
ownerId: "user-123",
name: "github-reader",
type: "autonomous",
permissions: [{ resource: "mcp:github:*", actions: ["read"] }],
});
const result = await kavach.authorize(agent.id, {
action: "read",
resource: "mcp:github:repos",
});
// { allowed: true, auditId: "aud_..." }Most auth libraries stop at human sign-in. That leaves you stitching together separate systems when your AI agents need identity, scoped permissions, delegation, and audit trails. theauth handles both in one place.
| Capability | Auth0 | Clerk | Better-Auth | NextAuth | Lucia | theauth |
|---|---|---|---|---|---|---|
| License | Proprietary | Proprietary | MIT | ISC | MIT | MIT |
| Self-hosted | Partial | No | Yes | Yes | Yes | Yes |
| OAuth 2.1 server | Yes | Yes | Partial | No | No | Yes |
| MCP OAuth 2.1 | No | No | No | No | No | Yes |
| Passkeys / WebAuthn | Yes | Yes | Plugin | Plugin | No | Yes |
| Multi-tenant / orgs | Yes | Yes | Plugin | No | No | Yes |
| Audit log | Yes (paid) | Yes (paid) | No | No | No | Yes |
| AI agent identity | No | No | No | No | No | Yes |
| Edge runtimes | Partial | No | Yes | Partial | Yes | Yes |
Full feature checklist (click to expand)
- Email and password with HIBP breach checking
- Magic link
- Email OTP
- Phone SMS OTP
- Passkeys / WebAuthn
- TOTP 2FA (authenticator apps)
- SAML 2.0 and OIDC SSO
- Anonymous sessions
- Google One Tap
- Sign In With Ethereum
- Device Authorization (TV / CLI flows)
- Username and password
- Captcha integration
- Session freshness enforcement
- Authorization Code + PKCE
- Client Credentials
- Device Authorization Grant
- Refresh Token rotation
- Token introspection
- Dynamic Client Registration (RFC 7591)
- Server metadata (RFC 8414)
- Resource indicators (RFC 8707)
- Authorization Server Issuer Identification (RFC 9728)
- Full OAuth 2.1 authorization server for the Model Context Protocol
- PKCE S256 mandatory
- RFC 9728 / 8707 / 8414 / 7591 compliant
- Agent token issuance and validation
- Cryptographic bearer tokens (
kv_...) - Wildcard permission matching
- Delegation chains with configurable depth limits
- Budget policies per agent
- Anomaly detection
- CIBA-style approval flows for sensitive tool calls
- Full audit trail per agent action
- Next.js 15 (App Router, Route Handlers, Middleware)
- SvelteKit
- Nuxt / Vue
- Hono (Cloudflare Workers, Bun, Deno)
- Express
- Fastify
- Astro
- NestJS
- SolidStart
- TanStack Start
- React Native / Expo
- Electron
Built-in: SQLite, PostgreSQL, MySQL, Cloudflare D1
Plugin: Prisma (share an existing PrismaClient)
- Organizations with RBAC
- SCIM directory sync
- Admin controls (ban, impersonate)
- API key management
- Multi-tenant isolation
- GDPR: export, delete, anonymize
- Compliance reports: EU AI Act, NIST, SOC 2, ISO 42001
- Cloudflare Workers (D1, KV)
- Vercel Edge Functions
- Deno Deploy
- Bun
- Three runtime dependencies:
drizzle-orm,jose,zod
Next.js (App Router)
npm install @glinr/theauth @glinr/theauth-nextjs// app/api/auth/[...theauth]/route.ts
import { createKavach } from "@glinr/theauth";
import { emailPassword } from "@glinr/theauth/auth";
import { createNextAuthHandler } from "@glinr/theauth-nextjs";
const kavach = createKavach({
database: { provider: "postgres", url: process.env.DATABASE_URL },
plugins: [emailPassword()],
});
const handler = createNextAuthHandler(kavach);
export { handler as GET, handler as POST };// app/dashboard/page.tsx (Server Component)
import { getServerSession } from "@glinr/theauth-nextjs";
export default async function Dashboard() {
const session = await getServerSession();
if (!session) redirect("/sign-in");
return <h1>Hello, {session.user.email}</h1>;
}See examples/nextjs-app for a full working example.
SvelteKit
npm install @glinr/theauth @glinr/theauth-sveltekit// src/hooks.server.ts
import { createKavach } from "@glinr/theauth";
import { emailPassword } from "@glinr/theauth/auth";
import { createSvelteKitHandler } from "@glinr/theauth-sveltekit";
const kavach = createKavach({
database: { provider: "sqlite", url: "kavach.db" },
plugins: [emailPassword()],
});
export const handle = createSvelteKitHandler(kavach);// src/routes/+layout.server.ts
import { getSession } from "@glinr/theauth-sveltekit";
export async function load(event) {
const session = await getSession(event);
return { session };
}Vue / Nuxt
npm install @glinr/theauth @glinr/theauth-nuxt// server/plugins/theauth.ts
import { createKavach } from "@glinr/theauth";
import { emailPassword } from "@glinr/theauth/auth";
export const kavach = createKavach({
database: { provider: "postgres", url: process.env.DATABASE_URL },
plugins: [emailPassword()],
});// nuxt.config.ts
export default defineNuxtConfig({
modules: ["@glinr/theauth-nuxt"],
});Hono (Cloudflare Workers / Express / Bun)
npm install @glinr/theauth @glinr/theauth-honoimport { Hono } from "hono";
import { createKavach } from "@glinr/theauth";
import { emailPassword } from "@glinr/theauth/auth";
import { createHonoAdapter } from "@glinr/theauth-hono";
type Env = { DATABASE_URL: string };
const app = new Hono<{ Bindings: Env }>();
app.use("/api/auth/*", async (c, next) => {
const kavach = createKavach({
database: { provider: "postgres", url: c.env.DATABASE_URL },
plugins: [emailPassword()],
});
return createHonoAdapter(kavach)(c, next);
});
export default app;Primary docs: docs.theauth.dev
| Section | Link | What you will find |
|---|---|---|
| Getting Started | docs.theauth.dev/docs/quickstart | Installation, first auth flow |
| Authentication | docs.theauth.dev/docs/auth | All auth methods and plugins |
| Agent Identity | docs.theauth.dev/docs/agents | Agent tokens, delegation, policies |
| Permissions | docs.theauth.dev/docs/permissions | RBAC, wildcard matching, ReBAC |
| MCP OAuth 2.1 | docs.theauth.dev/docs/mcp | MCP auth server setup |
| Framework Adapters | docs.theauth.dev/docs/adapters | Next.js, Hono, SvelteKit, etc. |
| API Reference | docs.theauth.dev/docs/api | Config, types, errors |
| Security | SECURITY.md | Threat model, disclosure policy |
| Package | Framework | Directory |
|---|---|---|
@glinr/theauth-nextjs |
Next.js 15 (App Router) | packages/adapters/nextjs |
@glinr/theauth-nextjs-auth |
Next.js (external auth backend) | packages/adapters/nextjs-auth |
@glinr/theauth-hono |
Hono (Workers, Bun, Deno) | packages/adapters/hono |
@glinr/theauth-express |
Express | packages/adapters/express |
@glinr/theauth-fastify |
Fastify | packages/adapters/fastify |
@glinr/theauth-sveltekit |
SvelteKit | packages/adapters/sveltekit |
@glinr/theauth-nuxt |
Nuxt / Vue 3 | packages/adapters/nuxt |
@glinr/theauth-astro |
Astro | packages/adapters/astro |
@glinr/theauth-nestjs |
NestJS | packages/adapters/nestjs |
@glinr/theauth-solidstart |
SolidStart | packages/adapters/solidstart |
@glinr/theauth-tanstack |
TanStack Start | packages/adapters/tanstack |
@glinr/theauth-expo |
React Native / Expo | packages/adapters/expo |
@glinr/theauth-electron |
Electron | packages/adapters/electron |
SQLite, PostgreSQL, MySQL, and Cloudflare D1 are built into the core package. Use the Prisma adapter to share an existing PrismaClient.
| Package | What it connects | Directory |
|---|---|---|
| Built-in SQLite | better-sqlite3, bun:sqlite, D1 |
core |
| Built-in PostgreSQL | pg, postgres, Neon, Supabase |
core |
| Built-in MySQL | mysql2 |
core |
@glinr/theauth-prisma |
Prisma (share your PrismaClient) | packages/prisma |
| Example | What it shows | Directory |
|---|---|---|
nextjs-app |
Full Next.js 15 App Router integration | examples/nextjs-app |
nextjs-demo |
UI components + sign-in flows | examples/nextjs-demo |
hono-server |
Standalone Hono API with auth | examples/hono-server |
cloudflare-workers |
Workers + D1 database | examples/cloudflare-workers |
mcp-server |
MCP OAuth 2.1 authorization server | examples/mcp-server |
basic-agent |
AI agent token issuance and policy | examples/basic-agent |
migrate-from-auth0 |
Step-by-step Auth0 migration | examples/migrate-from-auth0 |
migrate-from-better-auth-agent-plugin |
Migration from better-auth agent plugin | examples/migrate-from-better-auth-agent-plugin |
Hosted version with dashboard, billing, and zero infrastructure. app.theauth.dev
| Plan | MAU | Price |
|---|---|---|
| Free | 1,000 | $0 |
| Starter | 10,000 | $29/mo |
| Growth | 50,000 | $79/mo |
| Scale | 200,000 | $199/mo |
| Enterprise | Custom | Custom |
Responsible disclosure: see SECURITY.md. Do not open a public issue for vulnerabilities.
Follow development on GitHub Discussions and the changelog.
See CONTRIBUTING.md. First-time contributor? Look for issues labeled good first issue.
By contributing, you agree to the Code of Conduct.
MIT (c) GLINCKER LLC
Built by the founder of theSVG.org.
A Product of GLINR STUDIOS | A GLINCKER COMPANY