API reference

auth(options) creates a Layeron Auth module for sessions, route user context, and managed or custom user storage.

Import

import { auth } from "@layeron/modules"

auth

Create a Layeron Auth module.

auth(options?: AuthModuleOptions): AuthModule

AuthSessionCookieOptions

Cookie settings for Auth sessions.

Field	Type	Description
name	string | undefined	Cookie name used when session mode is cookie or both.

AuthSessionOptions

Session settings for Auth.

Field	Type	Description
mode	AuthSessionMode | undefined	Token transport mode. Defaults to both.
accessTokenTtl	string | undefined	Access token lifetime. Use an integer followed by s, m, h, or d. Defaults to 15m.
refreshTokenTtl	string | undefined	Refresh token lifetime. Use an integer followed by s, m, h, or d. Defaults to 30d.
refreshTokenRotation	boolean | undefined	When true, refreshSession rotates the refresh token on every successful refresh. Defaults to true.
reuseDetection	boolean | undefined	When true, Auth detects reuse of revoked, replaced, expired, or reused refresh tokens. Defaults to true.
revokeFamilyOnReuse	boolean | undefined	When true, Auth revokes the refresh token family after reuse is detected. Defaults to true.
cookie	AuthSessionCookieOptions | undefined	Cookie settings.

AuthPasswordOptions

Password strength settings for email sign-up.

Field	Type	Description
enabled	boolean | undefined	Enable email and password sign-up, sign-in, password update, and password reset flows. Defaults to true.
minLength	int32 | undefined	Minimum password length. The value must be at least 8. Defaults to 8.
requireLowercase	boolean | undefined	Require at least one lowercase letter.
requireUppercase	boolean | undefined	Require at least one uppercase letter.
requireNumber	boolean | undefined	Require at least one number.
requireSymbol	boolean | undefined	Require at least one symbol.
hash	AuthPasswordHashOptions | undefined	Password hash algorithm and cost settings. Defaults to Argon2id with the balanced security level.

AuthPasswordHashOptions

Password hash settings.

Field	Type	Description
algorithm	AuthPasswordHashAlgorithm | undefined	Hash algorithm. Defaults to argon2id.
level	AuthPasswordHashLevel | undefined	Security preset. Defaults to balanced.
argon2id	AuthArgon2idPasswordHashOptions | undefined	Argon2id cost settings.
pbkdf2Sha256	AuthPbkdf2Sha256PasswordHashOptions | undefined	PBKDF2-SHA256 cost settings.

AuthArgon2idPasswordHashOptions

Argon2id password hash settings.

Field	Type	Description
memoryKiB	int32 | undefined	Memory cost in KiB. Defaults to 32768 at the balanced level.
iterations	int32 | undefined	Time cost measured in Argon2 iterations. Defaults to 2 at the balanced level.
parallelism	int32 | undefined	Argon2 parallelism parameter. Defaults to 1 for Workers.
saltBytes	int32 | undefined	Random salt length in bytes. Defaults to 16.
hashBytes	int32 | undefined	Derived hash length in bytes. Defaults to 32.
maxMemoryKiB	int32 | undefined	Maximum temporary memory budget in KiB. Defaults to at least twice memoryKiB.
asyncTickMs	int32 | undefined	Maximum scheduler block time in milliseconds for async hashing. Defaults to 10.

AuthPbkdf2Sha256PasswordHashOptions

PBKDF2-SHA256 password hash settings.

Field	Type	Description
iterations	int32 | undefined	PBKDF2 iteration count. Defaults to 600000.
saltBytes	int32 | undefined	Random salt length in bytes. Defaults to 16.
hashBytes	int32 | undefined	Derived hash length in bytes. Defaults to 32.

AuthEmailOtpOptions

OTP verification settings for email sign-up.

Field	Type	Description
enabled	boolean | undefined	Enable this email OTP flow. Defaults to true.
required	boolean | undefined	When true, sign-up sends an OTP and creates a session only after verification.
length	int32 | undefined	Number of OTP digits. Defaults to 6.
tokenLength	int32 | undefined	Number of OTP digits. This aliases length for TypeScript users.
ttl	string | undefined	OTP lifetime. Use an integer followed by s, m, h, or d. Defaults to 10m.
minSendInterval	string | undefined	Minimum time before Auth sends another email for the same active OTP flow. Use an integer followed by s, m, h, or d. Defaults to 1m.
maxAttempts	int32 | undefined	Maximum failed verification attempts before the OTP is exhausted. Defaults to 5.
template	unknown | undefined	Email template name or Email template object used for this OTP message.

AuthRememberOptions

Remember-device settings for password sign-in with email OTP.

Field	Type	Description
enabled	boolean | undefined	When true, verified sign-in OTP requests can return a remember token.
ttl	string | undefined	Remember token lifetime. Use an integer followed by s, m, h, or d. Defaults to 30d.

AuthSignInEmailOtpOptions

Email OTP settings for password sign-in.

Field	Type	Description
remember	AuthRememberOptions | undefined	Remember-device settings for password sign-in OTP.

AuthSignInWithPasswordOptions

Password sign-in settings.

Field	Type	Description
emailOtp	AuthSignInEmailOtpOptions | undefined	Email OTP settings for password sign-in. Set required to true to require OTP after the password check.

AuthPasswordUpdateEmailOtpOptions

Email OTP settings for password updates.

Field	Type	Description

AuthUpdatePasswordOptions

Password update settings.

Field	Type	Description
requireCurrentPassword	boolean | undefined	When true, updatePassword requires the current password before changing the password. Defaults to true.
emailOtp	AuthPasswordUpdateEmailOtpOptions | undefined	Email OTP settings for password updates. Set required to true to require OTP before changing the password.

AuthPasswordResetTokenOptions

Password reset token settings.

Field	Type	Description
ttl	string | undefined	Password reset token lifetime. Use an integer followed by s, m, h, or d. Defaults to 10m.
maxAttempts	int32 | undefined	Maximum failed verification attempts before the reset token is exhausted. Defaults to 5.

AuthResetPasswordForEmailOptions

Password reset email settings.

Field	Type	Description
template	unknown | undefined	Email template name or Email template object used for password reset messages.
minSendInterval	string | undefined	Minimum time before Auth sends another password reset email for the same active reset flow. Use an integer followed by s, m, h, or d. Defaults to 1m.
token	AuthPasswordResetTokenOptions | undefined	Reset token settings.

AuthPasskeyRelyingPartyOptions

Passkey relying party settings.

Field	Type	Description
id	string | undefined	Relying party id. Defaults to the request host.
name	string | undefined	Relying party display name. Defaults to Layeron App.
origins	string[] | undefined	Allowed WebAuthn origins. Defaults to the current request origin.

AuthPasskeyLoginOptions

Passkey login settings.

Field	Type	Description
enabled	boolean | undefined	Enable passkey sign-in. Defaults to true when passkeys are enabled.
allowUsernameless	boolean | undefined	Allow usernameless passkey sign-in with discoverable credentials. Defaults to true.

AuthPasskeyMfaOptions

Passkey MFA settings.

Field	Type	Description
requireUserVerification	boolean | undefined	Require user verification for passkey MFA and step-up ceremonies. Defaults to true.

AuthPasskeyOptions

Passkey registration, login, and MFA settings.

Field	Type	Description
enabled	boolean | undefined	Enable Passkey/WebAuthn registration and authentication. Defaults to false.
relyingParty	AuthPasskeyRelyingPartyOptions | undefined	Relying party settings.
userVerification	PasskeyUserVerification | undefined	User verification policy for registration and login. Defaults to preferred.
residentKey	PasskeyResidentKey | undefined	Resident key policy. Defaults to preferred.
authenticatorAttachment	PasskeyAuthenticatorAttachment | undefined	Authenticator attachment policy. Defaults to any.
attestation	PasskeyAttestation | undefined	Attestation conveyance preference. Defaults to none.
timeoutMs	int32 | undefined	Ceremony timeout in milliseconds. Defaults to 60000.
login	AuthPasskeyLoginOptions | undefined	Passkey login settings.
mfa	AuthPasskeyMfaOptions | undefined	Passkey MFA settings.

AuthBuiltInOAuthProviderOptions

Built-in OAuth provider configuration.

Field	Type	Description
provider	”github” | “google”	Built-in provider kind.
clientId	string | undefined	OAuth client id issued by the provider.
clientSecret	string | undefined	OAuth client secret issued by the provider.
scopes	string[] | undefined	OAuth scopes requested during authorization.
stateTtl	string | undefined	State lifetime for authorization requests. Use an integer followed by s, m, h, or d. Defaults to 10m.
redirectToAllowlist	string[] | undefined	Absolute post-login redirect origins or relative paths accepted for redirectTo.

AuthOidcProviderOptions

OpenID Connect provider configuration.

Field	Type	Description
provider	”oidc”	Provider kind.
id	string	Stable provider id used in auth.oauth.createAuthorizationUrl and auth.oauth.verifyCallback.
issuer	string	OIDC issuer URL. The discovery document issuer must match this value.
clientId	string	OIDC client id issued by the provider.
clientSecret	string | undefined	OIDC client secret issued by the provider when the token endpoint uses a confidential client.
scopes	string[] | undefined	OIDC scopes requested during authorization. Defaults to openid, email, and profile.
tokenEndpointAuthMethod	AuthOAuthTokenEndpointAuthMethod | undefined	Token endpoint authentication method. Defaults to client_secret_basic when clientSecret is set, and none otherwise.
stateTtl	string | undefined	State and PKCE verifier lifetime. Use an integer followed by s, m, h, or d. Defaults to 10m.
redirectToAllowlist	string[] | undefined	Absolute post-login redirect origins or relative paths accepted for redirectTo.
userIdClaim	string | undefined	Claim used as the application user id for custom, mapped, and external user storage. Defaults to sub.
emailClaim	string | undefined	Claim used as the email address. Defaults to email.
emailVerifiedClaim	string | undefined	Claim used as the email verification flag. Defaults to email_verified.
displayNameClaim	string | undefined	Claim used as the display name. Defaults to name.
avatarUrlClaim	string | undefined	Claim used as the avatar URL. Defaults to picture.
usernameClaim	string | undefined	Claim used as the username. Defaults to preferred_username.

AuthEmailOptions

Email settings for Auth sign-up.

Field	Type	Description
product	unknown	Email product used to send sign-up messages.
template	unknown | undefined	Email template name or Email template object used for sign-up messages.
otp	AuthEmailOtpOptions | undefined	OTP verification settings.

AuthManagedUsersOptions

Managed user id settings.

Field	Type	Description
idPrefix	string | undefined	Prefix used when Auth generates a managed user id. Defaults to user.

AuthManagedDatabaseOptions

Fully managed Auth database mode.

Field	Type	Description
mode	”managed” | undefined	Fully managed user and session storage.

AuthManagedCoreDatabaseOptions

Managed core Auth database mode.

Field	Type	Description
mode	”managed_core”	Core user fields and session storage.

AuthCustomDatabaseOptions

Custom user store functions.

Field	Type	Description
mode	”custom”	Custom user lookup with Auth-managed sessions.
getUser	unknown	Function that resolves a user by id.
createUser	unknown | undefined	Function that creates an application-owned user for email sign-up.
isUserEnabled	unknown | undefined	Function that decides whether a resolved user can use a session.
updateLastSignIn	unknown | undefined	Function called after Auth creates a session.
updateEmailVerifiedAt	unknown | undefined	Function called after Auth verifies an email OTP.

AuthMappedUsersOptions

Mapped user table fields in a user-owned Database product.

Field	Type	Description
table	string	Table that stores application user profiles.
idColumn	string	Column that stores the stable user id.
emailColumn	string | undefined	Column that stores the user’s email address.
phoneColumn	string | undefined	Column that stores the user’s phone number.
usernameColumn	string | undefined	Column that stores the username.
displayNameColumn	string | undefined	Column that stores the display name.
avatarUrlColumn	string | undefined	Column that stores the avatar URL.
metadataColumn	string | undefined	Column that stores JSON metadata for subject attributes.
createdAtColumn	string | undefined	Column that stores the created timestamp.
updatedAtColumn	string | undefined	Column that stores the updated timestamp.

AuthMappedDatabaseOptions

Mapped Auth database mode.

Field	Type	Description
mode	”mapped”	Application user profiles live in this Database product.
product	unknown	Database product instance that owns the mapped user table.
users	AuthMappedUsersOptions	Mapped user table and column names.

AuthExternalDatabaseOptions

External Auth database mode.

Field	Type	Description
mode	”external”	Application user profiles are resolved outside Auth.
resolveUser	unknown	Function that resolves a user profile by id.

AuthModuleOptions

Options accepted by auth(options).

Field	Type	Description
name	string | undefined	Stable Auth instance name. Defaults to default.
namespace	string | undefined	Platform namespace for the instance. Defaults to default.
database	AuthManagedDatabaseOptions | AuthManagedCoreDatabaseOptions | AuthCustomDatabaseOptions | AuthMappedDatabaseOptions | AuthExternalDatabaseOptions | undefined	Database storage mode.
email	AuthEmailOptions | undefined	Email product and template settings for email sign-up.
password	AuthPasswordOptions | undefined	Password strength settings for email sign-up.
signInWithPassword	AuthSignInWithPasswordOptions | undefined	Password sign-in settings.
updatePassword	AuthUpdatePasswordOptions | undefined	Password update settings.
resetPasswordForEmail	AuthResetPasswordForEmailOptions | undefined	Password reset email settings.
passkey	AuthPasskeyOptions | undefined	Passkey/WebAuthn registration, login, and MFA settings.
providers	AuthBuiltInOAuthProviderOptions | AuthOidcProviderOptions[] | undefined	OAuth and OIDC providers available to this Auth instance.
users	AuthManagedUsersOptions | undefined	Managed user id settings.
session	AuthSessionOptions | undefined	Session settings.
observability	Layeron.Observability.ObservabilityConfig | undefined	Observability settings for the Auth Product Worker.

AuthCoreUserFields

Core user fields available in every Auth user result.

Field	Type	Description
id	string	Stable Auth user id.
email	string | undefined	Primary email address for the user.
emailVerifiedAt	string | undefined	ISO timestamp recorded when the primary email address was verified.
phone	string | undefined	Primary phone number for the user.
phoneVerifiedAt	string | undefined	ISO timestamp recorded when the primary phone number was verified.
primaryIdentityId	string | undefined	Primary identity id associated with the user.
username	string | undefined	Application username associated with the user.
displayName	string | undefined	Display name shown for the user.
avatarUrl	string | undefined	Avatar image URL for the user.
status	AuthUserStatus | undefined	Current user status.
createdAt	string | undefined	ISO timestamp recorded when the user was created.
updatedAt	string | undefined	ISO timestamp recorded when the user was last updated.
lastSignInAt	string | undefined	ISO timestamp recorded when the user last completed sign-in.
disabledAt	string | undefined	ISO timestamp recorded when the user was disabled.

AuthUser

Auth user returned by managed or custom user storage.

Field	Type	Description
defaultTenantId	string | undefined	Default tenant id attached to the user.
isAnonymous	boolean | undefined	Whether the user was created as an anonymous user.
roles	string[] | undefined	Role names attached to the user.
scopes	string[] | undefined	Permission scopes attached to the user.
attributes	Record<unknown> | undefined	Subject attributes exposed to Policy and route context.
appMetadata	Record<unknown> | undefined	Application-controlled metadata for server-side decisions.
userMetadata	Record<unknown> | undefined	User-editable metadata stored with the user profile.

AuthCreateSessionUserInput

User fields accepted when creating a managed session.

Field	Type	Description
id	string | undefined	Stable user id used for the new session.
email	string | undefined	Primary email address for the session user.
emailVerifiedAt	string | undefined	ISO timestamp proving the email address was verified.
phone	string | undefined	Primary phone number for the session user.
phoneVerifiedAt	string | undefined	ISO timestamp proving the phone number was verified.
primaryIdentityId	string | undefined	Primary identity id associated with the session user.
username	string | undefined	Application username associated with the session user.
displayName	string | undefined	Display name shown for the session user.
avatarUrl	string | undefined	Avatar image URL for the session user.
status	AuthUserStatus | undefined	User status to store or verify for the session user.
defaultTenantId	string | undefined	Default tenant id attached to the session user.
isAnonymous	boolean | undefined	Whether the session user is anonymous.
roles	string[] | undefined	Role names attached to the session user.
scopes	string[] | undefined	Permission scopes attached to the session user.
attributes	Record<unknown> | undefined	Subject attributes exposed to Policy and route context.
appMetadata	Record<unknown> | undefined	Application-controlled metadata for server-side decisions.
userMetadata	Record<unknown> | undefined	User-editable metadata stored with the user profile.

AuthSignUpUserInput

User fields accepted by auth.signUp().

Field	Type	Description
username	string | undefined	Application username to store on the new user.
displayName	string | undefined	Display name to store on the new user.
avatarUrl	string | undefined	Avatar image URL to store on the new user.
defaultTenantId	string | undefined	Default tenant id to attach to the new user.
roles	string[] | undefined	Role names to attach to the new user.
scopes	string[] | undefined	Permission scopes to attach to the new user.
attributes	Record<unknown> | undefined	Subject attributes exposed to Policy and route context.
appMetadata	Record<unknown> | undefined	Application-controlled metadata for server-side decisions.
userMetadata	Record<unknown> | undefined	User-editable metadata stored with the user profile.

AuthSignUpInput

Input accepted by auth.signUp().

Field	Type	Description
email	string	Email address used to create the password identity.
password	string	Plain-text password to validate and hash for the new identity.
user	AuthSignUpUserInput | undefined	Optional user profile fields for managed and custom user storage.

AuthEmailVerificationResult

Email verification state returned by auth.signUp().

Field	Type	Description
required	boolean	Whether the caller must complete email OTP verification before a session is issued.
id	string | undefined	Verification challenge id used when verifying the OTP.
email	string	Email address being verified.
expiresAt	string | undefined	ISO timestamp when the verification challenge expires.
emailMessageId	string | undefined	Email Product message id returned for the verification email.

AuthSignUpResult

Result returned by auth.signUp().

Field	Type	Description
user	AuthUser	User created or resolved by sign-up.
verification	AuthEmailVerificationResult	Email verification state for the sign-up flow.
accessToken	string | undefined	Access token issued when verification is complete.
session	AuthSession | undefined	Session issued when verification is complete.
setCookie	string | undefined	Set-Cookie header value when the session mode writes cookies.

AuthSession

Auth session record.

Field	Type	Description
id	string	Stable session id.
userId	string	User id that owns the session.
createdAt	string	ISO timestamp recorded when the session was created.
expiresAt	string	ISO timestamp when the access session expires.
lastUsedAt	string | undefined	ISO timestamp recorded when the session was last used.
revokedAt	string | undefined	ISO timestamp recorded when the session was revoked.
device	AuthSessionDevice | undefined	Device metadata stored with the session.

AuthSessionDevice

Session device metadata.

Field	Type	Description
id	string | undefined	Stable device id supplied by the application.
name	string | undefined	Human-readable device name supplied by the application.
ipHash	string | undefined	Hash of the client IP address.
userAgentHash	string | undefined	Hash of the client user agent.

AuthVerifyEmailOtpInput

Input accepted by auth.verifyEmailOtp().

Field	Type	Description
email	string	Email address being verified.
otp	string	One-time password sent to the email address.
verificationId	string | undefined	Verification challenge id returned by sign-up.

AuthCreateSessionResult

Result returned by auth.createSession().

Field	Type	Description
accessToken	string	Bearer access token for the session.
refreshToken	string | undefined	Refresh token for the session when refresh tokens are enabled.
session	AuthSession	Session record created by Auth.
user	AuthUser	User that owns the session.
setCookie	string | undefined	Set-Cookie header value when the session mode writes cookies.

AuthVerifyEmailOtpResult

Result returned by auth.verifyEmailOtp().

Field	Type	Description
emailVerifiedAt	string	ISO timestamp recorded when the email address was verified.

AuthSignInWithPasswordInput

Input accepted by auth.signInWithPassword().

Field	Type	Description
email	string	Email address for the password credential.
password	string	Plain-text password to verify.
rememberToken	string | undefined	Remember-device token returned by a prior sign-in OTP verification.

AuthSignInWithPasswordResult

Result returned by auth.signInWithPassword().

Field	Type	Description
user	AuthUser	User resolved for the password credential.
verification	AuthEmailVerificationResult	Email OTP state when the sign-in flow requires a second step.
accessToken	string | undefined	Access token issued when sign-in is complete.
session	AuthSession | undefined	Session issued when sign-in is complete.
setCookie	string | undefined	Set-Cookie header value when the session mode writes cookies.

AuthVerifySignInEmailOtpInput

Input accepted by auth.verifySignInEmailOtp().

Field	Type	Description
email	string	Email address used for the sign-in OTP.
otp	string	One-time password sent to the email address.
verificationId	string | undefined	Verification challenge id returned by password sign-in.
remember	boolean | undefined	When true, Auth returns a remember-device token after successful OTP verification.

AuthVerifySignInEmailOtpResult

Result returned by auth.verifySignInEmailOtp().

Field	Type	Description
rememberToken	string | undefined	Remember-device token issued after successful OTP verification.
rememberTokenExpiresAt	string | undefined	ISO timestamp when the remember-device token expires.

AuthCreateSessionInput

Input accepted by auth.createSession().

Field	Type	Description
userId	string | undefined	User id that should own the new session.
user	AuthCreateSessionUserInput | undefined	User profile fields used when Auth creates or resolves the session user.
ttlSeconds	int32 | undefined	Access token lifetime in seconds for this session.
expiresAt	string | undefined	ISO timestamp when the access session should expire.
accessToken	string | undefined	Caller-supplied access token for trusted session minting.
sessionId	string | undefined	Caller-supplied session id for trusted session minting.
device	AuthSessionDevice | undefined	Device metadata to store with the session.

AuthRefreshSessionInput

Input accepted by auth.refreshSession().

Field	Type	Description
refreshToken	string	Refresh token issued by Auth.
ttlSeconds	int32 | undefined	Access token lifetime in seconds for the refreshed session.
expiresAt	string | undefined	ISO timestamp when the refreshed access session should expire.
device	AuthSessionDevice | undefined	Device metadata to store with the refreshed session.

AuthRefreshSessionResult

Result returned by auth.refreshSession().

Field	Type	Description

AuthVerifyAccessTokenInput

Input accepted by Auth session lookup methods.

Field	Type	Description
accessToken	string | undefined	Access token to verify. When omitted, Auth reads the current request using the configured session mode.

AuthRevokeSessionInput

Input accepted by auth.revokeSession().

Field	Type	Description
sessionId	string | undefined	Session id to revoke.
accessToken	string | undefined	Access token whose session should be revoked.

AuthRevokeAllSessionsInput

Input accepted by auth.revokeAllSessions().

Field	Type	Description
userId	string | undefined	User id whose active sessions should be revoked. When omitted, Auth uses the current active session.
accessToken	string | undefined	Access token used to identify the current active session.

AuthRevokeAllSessionsResult

Result returned by auth.revokeAllSessions().

Field	Type	Description
userId	string	User id whose sessions were revoked.
revokedAt	string	ISO timestamp recorded when the sessions were revoked.
revokedSessionCount	int32	Number of active sessions revoked.

AuthUpdatePasswordInput

Input accepted by auth.updatePassword().

Field	Type	Description
currentPassword	string | undefined	Current password used when the configured policy requires reauthentication.
newPassword	string	New plain-text password to validate and hash.
accessToken	string | undefined	Access token identifying the active user. When omitted, Auth reads the current request.

AuthUpdatePasswordResult

Result returned by auth.updatePassword().

Field	Type	Description
user	AuthUser	User whose password is being updated.
verification	AuthEmailVerificationResult	Email OTP state when the update requires a second step.
updatedAt	string | undefined	ISO timestamp recorded when the password was updated.

AuthVerifyPasswordUpdateEmailOtpInput

Input accepted by auth.verifyPasswordUpdateEmailOtp().

Field	Type	Description
otp	string	One-time password sent to confirm the password update.
verificationId	string | undefined	Verification challenge id returned by updatePassword.
accessToken	string | undefined	Access token identifying the active user. When omitted, Auth reads the current request.

AuthVerifyPasswordUpdateEmailOtpResult

Result returned by auth.verifyPasswordUpdateEmailOtp().

Field	Type	Description
user	AuthUser	User whose password was updated.
updatedAt	string	ISO timestamp recorded when the password was updated.

AuthResetPasswordForEmailInput

Input accepted by auth.resetPasswordForEmail().

Field	Type	Description
email	string	Email address that should receive the password reset message.

AuthResetPasswordForEmailResult

Result returned by auth.resetPasswordForEmail().

Field	Type	Description
email	string	Email address that received the password reset flow.
sent	true	Whether Auth accepted the reset request for delivery.

AuthVerifyPasswordResetTokenInput

Input accepted by auth.verifyPasswordResetToken().

Field	Type	Description
token	string	Password reset token sent to the user’s email address.
verificationId	string | undefined	Verification challenge id associated with the reset token.

AuthVerifyPasswordResetTokenResult

Result returned by auth.verifyPasswordResetToken().

Field	Type	Description
valid	true	Whether the reset token is valid.
email	string	Email address associated with the reset token.
expiresAt	string	ISO timestamp when the reset token expires.

AuthSetPasswordWithResetTokenInput

Input accepted by auth.setPasswordWithResetToken().

Field	Type	Description
token	string	Password reset token sent to the user’s email address.
verificationId	string | undefined	Verification challenge id associated with the reset token.
newPassword	string	New plain-text password to validate and hash.

AuthSetPasswordWithResetTokenResult

Result returned by auth.setPasswordWithResetToken().

Field	Type	Description
user	AuthUser	User whose password was reset.
updatedAt	string	ISO timestamp recorded when the password was reset.

AuthOAuthCreateAuthorizationUrlInput

Input accepted by auth.oauth.createAuthorizationUrl().

Field	Type	Description
provider	string	OAuth provider id. Use github for GitHub, or the configured OIDC provider id.
callbackUrl	string	Absolute callback URL registered with the OAuth or OIDC provider.
redirectTo	string | undefined	Relative post-login path or allowlisted absolute URL returned after callback verification.
scopes	string[] | undefined	Scopes requested for this authorization request. OIDC requests must include openid.

AuthOAuthCreateAuthorizationUrlResult

Result returned by auth.oauth.createAuthorizationUrl().

Field	Type	Description
authorizationUrl	string	Provider authorization URL with a one-time state value.
state	string	Opaque state value that must be returned to auth.oauth.verifyCallback().
expiresAt	string	ISO timestamp when the state and PKCE verifier expire.
codeChallenge	string | undefined	PKCE S256 challenge sent to providers that support PKCE.
codeChallengeMethod	”S256” | undefined	PKCE challenge method.

AuthOAuthVerifyCallbackInput

Input accepted by auth.oauth.verifyCallback().

Field	Type	Description
provider	string	OAuth provider id. Use github for GitHub, or the configured OIDC provider id.
code	string	Authorization code returned by the OAuth or OIDC provider.
state	string	State returned by the OAuth or OIDC provider.
callbackUrl	string | undefined	Callback URL used for the authorization request. Auth verifies it when supplied.

AuthOAuthVerifyCallbackResult

Result returned by auth.oauth.verifyCallback().

Field	Type	Description
redirectTo	string | undefined	Post-login redirect value stored during authorization URL creation.

AuthWebAuthnCredentialResponse

WebAuthn credential response fields returned by the browser.

Field	Type	Description
clientDataJSON	string	Base64url-encoded clientDataJSON.
attestationObject	string | undefined	Base64url-encoded attestationObject for registration.
authenticatorData	string | undefined	Base64url-encoded authenticatorData for authentication.
signature	string | undefined	Base64url-encoded assertion signature for authentication.
userHandle	string | undefined	Base64url-encoded user handle returned by the authenticator.

AuthWebAuthnCredential

WebAuthn credential returned by navigator.credentials.create or navigator.credentials.get.

Field	Type	Description
id	string	Base64url-encoded credential id.
rawId	string | undefined	Base64url-encoded raw credential id.
type	”public-key” | undefined	Credential type. WebAuthn passkeys use public-key.
response	AuthWebAuthnCredentialResponse	WebAuthn response fields.
authenticatorAttachment	PasskeyAuthenticatorAttachment | undefined	Authenticator attachment reported by the browser.
transports	string[] | undefined	Authenticator transports reported by the browser.
clientExtensionResults	Record<unknown> | undefined	Client extension results returned by the browser.

PasskeyCredential

Stored passkey credential.

Field	Type	Description
id	string	Stable Auth passkey id.
userId	string	User id that owns the passkey.
credentialId	string	Base64url WebAuthn credential id.
friendlyName	string | undefined	Human-readable passkey name.
transports	string[]	Authenticator transports.
backedUp	boolean	Whether the authenticator reported that the credential is backed up.
backupEligible	boolean	Whether the authenticator reported that the credential is backup eligible.
deviceType	”singleDevice” | “multiDevice”	Credential device type inferred from backup eligibility.
userVerified	boolean	Whether the last ceremony had user verification.
createdAt	string	ISO timestamp recorded when the passkey was registered.
lastUsedAt	string | undefined	ISO timestamp recorded when the passkey was last used.
lastUsedIpHash	string | undefined	Hash of the IP address recorded during last use.
aaguid	string | undefined	Authenticator AAGUID in hex.

AuthPasskeyBeginRegistrationInput

Input accepted by auth.passkey.beginRegistration().

Field	Type	Description
userId	string | undefined	User id to register for. When supplied, it must match the active session.
friendlyName	string | undefined	Human-readable passkey name.

AuthPasskeyBeginRegistrationResult

Result returned by auth.passkey.beginRegistration().

Field	Type	Description
ceremonyId	string	One-time ceremony id.
expiresAt	string	ISO timestamp when the ceremony expires.
publicKey	Record<unknown>	PublicKeyCredentialCreationOptions JSON using base64url binary fields.

AuthPasskeyFinishRegistrationInput

Input accepted by auth.passkey.finishRegistration().

Field	Type	Description
ceremonyId	string	One-time ceremony id returned by beginRegistration.
credential	AuthWebAuthnCredential	WebAuthn credential returned by the browser.
friendlyName	string | undefined	Human-readable passkey name.

AuthPasskeyBeginAuthenticationInput

Input accepted by auth.passkey.beginAuthentication().

Field	Type	Description
userId	string | undefined	User id for non-discoverable passkey login.
email	string | undefined	Email address for managed-user passkey lookup.
purpose	”login” | “mfa” | “step_up” | undefined	Ceremony purpose. Defaults to login.

AuthPasskeyBeginAuthenticationResult

Result returned by auth.passkey.beginAuthentication().

Field	Type	Description
ceremonyId	string	One-time ceremony id.
expiresAt	string	ISO timestamp when the ceremony expires.
publicKey	Record<unknown>	PublicKeyCredentialRequestOptions JSON using base64url binary fields.

AuthPasskeyFinishAuthenticationInput

Input accepted by auth.passkey.finishAuthentication().

Field	Type	Description
ceremonyId	string	One-time ceremony id returned by beginAuthentication.
credential	AuthWebAuthnCredential	WebAuthn assertion returned by the browser.
stepUpPurpose	string | undefined	Application purpose recorded for a step-up session.

AuthPasskeyFinishAuthenticationResult

Result returned by auth.passkey.finishAuthentication().

Field	Type	Description

AuthPasskeyRenameInput

Input accepted by auth.passkey.rename().

Field	Type	Description
passkeyId	string	Passkey id to rename.
friendlyName	string	New human-readable passkey name.

AuthPasskeyRemoveInput

Input accepted by auth.passkey.remove().

Field	Type	Description
passkeyId	string	Passkey id to remove.

AuthError

Structured Auth error returned through AuthError JSON serialization and gateway error responses.

Field	Type	Description
code	AuthErrorCode	Stable Auth error code.
message	string	Human-readable error message.
status	int32	HTTP status code associated with the error.
details	Record<unknown> | undefined	Additional structured error details.

AuthSubject

Policy subject resolved from an Auth user.

Field	Type	Description
kind	”user”	Subject kind used by Policy.
id	string	Subject user id.
roles	string[] | undefined	Role names attached to the subject.
scopes	string[] | undefined	Permission scopes attached to the subject.
tenantId	string | undefined	Tenant id attached to the subject.
attributes	Record<unknown> | undefined	Subject attributes exposed to Policy.

AuthModule

Layeron Auth module returned by auth(options).

Field	Type	Description
name	”auth”	Module name recorded in the app spec.
config	AuthModuleOptions	Auth module configuration recorded in the app spec.
observability	Layeron.Observability.ObservabilityConfig | undefined	Effective observability policy recorded on the module declaration.

AuthSessionMode

How Auth reads access tokens from requests.

Value	Description
cookie	Read and write the configured session cookie.
bearer	Read bearer tokens from the Authorization header.
both	Read bearer tokens first, then the configured session cookie.

AuthPasswordHashAlgorithm

Password hash algorithm.

Value	Description
argon2id	Argon2id memory-hard password hashing.
pbkdf2_sha256	PBKDF2 using SHA-256 through Web Crypto.

AuthPasswordHashLevel

Password hash security level.

Value	Description
interactive	Lower memory cost for latency-sensitive Workers.
balanced	Default production setting. Argon2id uses 32 MiB of memory.
sensitive	Higher memory and time cost for sensitive applications.
custom	Use the explicit hash parameters supplied by the application.

PasskeyUserVerification

Passkey user verification policy.

Value	Description
required	Require authenticator user verification.
preferred	Prefer authenticator user verification.
discouraged	Discourage authenticator user verification.

PasskeyResidentKey

Passkey resident key policy.

Value	Description
required	Require a discoverable credential.
preferred	Prefer a discoverable credential.
discouraged	Discourage a discoverable credential.

PasskeyAuthenticatorAttachment

Passkey authenticator attachment policy.

Value	Description
platform	Use a platform authenticator.
cross-platform	Use a roaming authenticator.
any	Allow any authenticator attachment.

PasskeyAttestation

Passkey attestation conveyance preference.

Value	Description
none	Do not request attestation.
indirect	Request indirect attestation.
direct	Request direct attestation.
enterprise	Request enterprise attestation.

AuthOAuthTokenEndpointAuthMethod

OAuth and OIDC token endpoint client authentication method.

Value	Description
client_secret_basic	Send the client secret with HTTP Basic authentication.
client_secret_post	Send the client secret in the form body.
none	Use PKCE without a client secret.

AuthUserStatus

User status stored by Auth.

Value	Description
active	The user can sign in and use active sessions.
disabled	The user cannot sign in and existing sessions are rejected.

AuthErrorCode

Auth error codes returned by AuthError.

Value	Description
auth_runtime_not_attached	Auth runtime helpers were used without attaching the Auth runtime.
auth_runtime_context_missing	The current request has no Auth runtime context.
auth_invalid_configuration	Auth configuration is invalid for the requested operation.
auth_invalid_input	The request input failed Auth validation.
auth_custom_hook_required	A required custom user-store hook is missing.
auth_email_product_required	The configured flow requires an Email product instance.
auth_email_invalid	The email address is invalid.
auth_email_already_registered	The email address already has a password identity.
auth_email_not_verified	The email address must be verified before the operation can continue.
auth_password_weak	The password does not satisfy the configured strength policy.
auth_invalid_credentials	The supplied credential is invalid.
auth_otp_invalid	The supplied OTP is invalid.
auth_otp_expired	The supplied OTP is expired.
auth_otp_attempts_exhausted	The OTP challenge has no remaining verification attempts.
auth_token_invalid	The supplied token is invalid.
auth_token_expired	The supplied token is expired.
auth_token_attempts_exhausted	The token challenge has no remaining verification attempts.
auth_oauth_provider_unsupported	The OAuth or OIDC provider is missing, unsupported, or misconfigured.
auth_oauth_state_invalid	The OAuth or OIDC state is invalid, expired, consumed, or exhausted.
auth_oauth_callback_invalid	The OAuth or OIDC callback failed token exchange or id_token validation.
auth_invalid_refresh_token	The supplied refresh token is invalid, expired, reused, or revoked.
auth_remember_disabled	Remember-device tokens are disabled for this flow.
auth_session_required	The operation requires an active session.
auth_session_not_found	The requested session was not found.
auth_user_required	The operation requires a user id or user object.
auth_user_not_found	The requested user was not found.
auth_user_disabled	The user is disabled.
auth_password_credential_not_found	The user has no password credential.
auth_current_password_required	The current password is required.
auth_current_password_invalid	The current password is invalid.
auth_module_rpc_unavailable	The Auth Product Worker RPC entrypoint is unavailable.
auth_rpc_unsupported_operation	The Auth Product Worker does not support the requested RPC operation.

AuthDatabaseMode

How Auth stores user records.

Value	Description
managed	Auth owns the user table, all Auth user profile fields, metadata fields, and sessions.
managed_core	Auth owns only core user identity fields and sessions.
custom	Auth owns sessions and resolves users through application functions.
mapped	Auth owns security state and reads application user profiles from a mapped Database product table.
external	Auth owns login, sessions, and tokens, then resolves application user profiles through a resolver function.

Operations

authCreateSession

Create an Auth session.

authCreateSession(input: AuthCreateSessionInput): AuthCreateSessionResult

authRefreshSession

Refresh an Auth session using a refresh token.

authRefreshSession(input: AuthRefreshSessionInput): AuthRefreshSessionResult

authSignUp

Create a user with email and password, send the configured sign-up email, and return a session when OTP verification is not required.

authSignUp(input: AuthSignUpInput): AuthSignUpResult

authVerifyEmailOtp

Verify a sign-up OTP and create a session.

authVerifyEmailOtp(input: AuthVerifyEmailOtpInput): AuthVerifyEmailOtpResult

authSignInWithPassword

Verify an email and password credential, then create a session or send the configured sign-in OTP.

authSignInWithPassword(input: AuthSignInWithPasswordInput): AuthSignInWithPasswordResult

authVerifySignInEmailOtp

Verify a password sign-in OTP and create a session.

authVerifySignInEmailOtp(input: AuthVerifySignInEmailOtpInput): AuthVerifySignInEmailOtpResult

authVerifyAccessToken

Verify an access token and return the active session.

authVerifyAccessToken(input?: AuthVerifyAccessTokenInput): AuthSession | null

authGetSession

Return the active session.

authGetSession(input?: AuthVerifyAccessTokenInput): AuthSession | null

authGetUser

Return the active user.

authGetUser(input?: AuthVerifyAccessTokenInput): AuthUser | null

authGetUserId

Return the active user id.

authGetUserId(input?: AuthVerifyAccessTokenInput): string | null

authSignOut

Revoke the active session.

authSignOut(input?: AuthRevokeSessionInput): AuthSession | null

authRevokeSession

Revoke a session.

authRevokeSession(input?: AuthRevokeSessionInput): AuthSession | null

authRevokeAllSessions

Revoke every active session for a user.

authRevokeAllSessions(input?: AuthRevokeAllSessionsInput): AuthRevokeAllSessionsResult

authUpdatePassword

Update the active user’s password or send a password update OTP.

authUpdatePassword(input: AuthUpdatePasswordInput): AuthUpdatePasswordResult

authVerifyPasswordUpdateEmailOtp

Verify a password update OTP and apply the pending password hash.

authVerifyPasswordUpdateEmailOtp(input: AuthVerifyPasswordUpdateEmailOtpInput): AuthVerifyPasswordUpdateEmailOtpResult

authResetPasswordForEmail

Send a password reset email when the address has a password credential.

authResetPasswordForEmail(input: AuthResetPasswordForEmailInput): AuthResetPasswordForEmailResult

authVerifyPasswordResetToken

Verify a password reset token.

authVerifyPasswordResetToken(input: AuthVerifyPasswordResetTokenInput): AuthVerifyPasswordResetTokenResult

authSetPasswordWithResetToken

Set a new password with a valid password reset token.

authSetPasswordWithResetToken(input: AuthSetPasswordWithResetTokenInput): AuthSetPasswordWithResetTokenResult

authCreateOAuthAuthorizationUrl

Create an OAuth or OIDC authorization URL with state and provider-specific protection.

authCreateOAuthAuthorizationUrl(input: AuthOAuthCreateAuthorizationUrlInput): AuthOAuthCreateAuthorizationUrlResult

authVerifyOAuthCallback

Verify an OAuth or OIDC callback, link or create the identity, and create a session.

authVerifyOAuthCallback(input: AuthOAuthVerifyCallbackInput): AuthOAuthVerifyCallbackResult

authListPasskeys

List passkeys registered to the active user.

authListPasskeys(input?: AuthVerifyAccessTokenInput): PasskeyCredential[]

authBeginPasskeyRegistration

Begin passkey registration for the active user.

authBeginPasskeyRegistration(input?: AuthPasskeyBeginRegistrationInput): AuthPasskeyBeginRegistrationResult

authFinishPasskeyRegistration

Finish passkey registration and store the verified credential.

authFinishPasskeyRegistration(input: AuthPasskeyFinishRegistrationInput): PasskeyCredential

authBeginPasskeyAuthentication

Begin passkey authentication for login, MFA, or step-up.

authBeginPasskeyAuthentication(input?: AuthPasskeyBeginAuthenticationInput): AuthPasskeyBeginAuthenticationResult

authFinishPasskeyAuthentication

Finish passkey authentication and create a session.

authFinishPasskeyAuthentication(input: AuthPasskeyFinishAuthenticationInput): AuthPasskeyFinishAuthenticationResult

authRenamePasskey

Rename an active user’s passkey.

authRenamePasskey(input: AuthPasskeyRenameInput): PasskeyCredential

authRemovePasskey

Remove an active user’s passkey.

authRemovePasskey(input: AuthPasskeyRemoveInput): PasskeyCredential | null

authResolveSubject

Resolve the active subject for Policy and route context.

authResolveSubject(input?: AuthVerifyAccessTokenInput): AuthSubject | null

TypeScript options

Option	Description
magicLink	Magic link sign-in settings.
passkey	Passkey login and MFA settings.
mfa	Multi-factor authentication settings.

TypeScript module methods

Method	Description
requireUserId()	Require an active user and return its id.
verifyAccessToken()	Verify an access token and return the active session.
refreshSession()	Refresh an existing Auth session.
signInWithOtp()	Start an email OTP sign-in.
verifyOtp()	Verify an email OTP sign-in challenge.
signInWithMagicLink()	Start a magic link sign-in.
verifyMagicLink()	Verify a magic link token.
requireAal()	Require a specific authentication assurance level.
requireStepUp()	Require a step-up authentication challenge.
resolveSubject()	Resolve the active Policy subject.
oauth.createAuthorizationUrl()	Create an OAuth authorization URL.
oauth.verifyCallback()	Verify an OAuth callback.
passkey.list()	List passkeys for the active user.
passkey.beginRegistration()	Begin passkey registration.
passkey.finishRegistration()	Finish passkey registration.
passkey.beginAuthentication()	Begin passkey authentication.
passkey.finishAuthentication()	Finish passkey authentication.
passkey.rename()	Rename a passkey.
passkey.remove()	Remove a passkey.
mfa.enroll()	Enroll an MFA factor.
mfa.challenge()	Create an MFA challenge.
mfa.verify()	Verify an MFA challenge.
mfa.getAal()	Read the active authentication assurance level.
mfa.unenroll()	Unenroll an MFA factor.

TypeScript result contracts

These TypeScript result contracts are part of the public module API.

Result
EmailSendResult
AuthSignInWithOtpResult
AuthSignInWithMagicLinkResult
AuthOAuthCreateAuthorizationUrlResult
AuthWebAuthnCredentialResponse
AuthPasskeyBeginRegistrationResult
AuthPasskeyBeginAuthenticationResult
AuthMfaEnrollResult
AuthMfaChallengeResult
AuthMfaVerifyResult
AuthMfaGetAalResult