AuthHero Documentation
Drop-in authentication for Express apps. Email/password, OAuth, MFA — all production-ready, fully typed, and secured out of the box.
Get Running
Install, configure, and ship your first auth flow.
Integrate Frontend
Session handling, forms, and secure UI patterns.
Production Ready
Security, deployment, and scaling guidance.
npm install @nandalalshukla/auth-hero expressimport "dotenv/config";
import { createAuthHero } from "@nandalalshukla/auth-hero";
const auth = await createAuthHero();
auth.app.listen(3000);That's it. You now have register, login, email verification, password reset, OAuth (Google/GitHub/Facebook), MFA (TOTP), session management, and rate limiting — all running on port 3000.
Guided setup
Configure your environment
Add your database URL, Redis URL, and email provider settings.
Choose your auth flows
Enable email/password, OAuth providers, and MFA based on your product needs.
Connect your frontend
Use the client hooks, cookie sessions, and secure form patterns.
Features
Email / Password
Register, login, email verification, password reset & change — all production-ready.
OAuth 2.0
Google, GitHub, Facebook with the Strategy Pattern. Add more providers in minutes.
MFA (TOTP)
Time-based one-time passwords with QR codes, backup codes, and challenge flow.
Session Management
JWT access tokens + rotating refresh tokens with reuse detection.
Rate Limiting
Per-route Redis-backed rate limiters prevent brute-force attacks.
Two Usage Modes
Standalone server or mount on your existing Express app as a library.
Quick Links
Quick Start
Get AuthHero running in under 5 minutes
API Reference
Every endpoint with request/response examples
Architecture
Project structure and design patterns
Configuration
Every environment variable explained
OAuth Setup
Configure Google, GitHub, Facebook
MFA Guide
TOTP setup, challenge flow, backup codes
Security
Every security measure explained in detail
Deployment
Production checklist and Docker setup
Tech Stack
| Technology | Layer | Purpose |
|---|---|---|
| Node.js ≥ 18 | Runtime | Server runtime |
| Express 5 | Framework | HTTP framework |
| TypeScript | Language | Strict mode type safety |
| PostgreSQL + Prisma 7 | Database | Primary data store |
| Redis + BullMQ | Cache / Queue | Rate limiting, jobs, OAuth codes |
| JWT + Argon2 | Auth | Tokens + password hashing |
| otplib + QRCode | MFA | TOTP one-time passwords |
| AES-256-GCM | Encryption | TOTP secret encryption at rest |
| Zod 4 | Validation | Request body validation |
| Nodemailer | Transactional email delivery | |
| Pino | Logging | Structured JSON logging |
| Helmet | Security | HTTP security headers |
Want to start even faster? Run npx create-authhero my-app to scaffold a complete project with auto-generated secrets.
Jump into the architecture, security, and deployment guides to see how AuthHero handles rate limiting, MFA, and session rotation in production.