Skip to contentSkip to navigation

Configuration

Create an auth.ts file in your project. This is the single entry point for all auth operations.

Basic configuration

ts
// auth.ts
import { createOwnAuth } from "own-auth";

export const auth = createOwnAuth({
  tokenPepper: process.env.OWN_AUTH_TOKEN_PEPPER,
  session: {
    ttlMs: 30 * 24 * 60 * 60 * 1000, // 30 days
  },
});

Own Auth reads DATABASE_URL from the environment. That is enough to get started. Everything below is optional.

Full configuration

ts
import { createOwnAuth } from "own-auth";

const appUrl = "https://app.example.com";

export const auth = createOwnAuth({
  // Required in production
  tokenPepper: process.env.OWN_AUTH_TOKEN_PEPPER,

  // Base URL used to create auth links
  baseUrl: appUrl,

  // Session settings
  session: {
    ttlMs: 30 * 24 * 60 * 60 * 1000,     // absolute timeout: 30 days
    idleTtlMs: 7 * 24 * 60 * 60 * 1000, // idle timeout: 7 days
  },

  // Password settings
  password: {
    minLength: 8,
  },

  // Magic link, email verification, password reset, and invite expiry
  tokenTtlMs: {
    magic_link: 15 * 60 * 1000,                   // 15 minutes
    email_verification: 24 * 60 * 60 * 1000,     // 24 hours
    password_reset: 60 * 60 * 1000,              // 1 hour
    organisation_invite: 7 * 24 * 60 * 60 * 1000, // 7 days
  },

  // Phone and SMS settings
  sms: {
    otpTtlMs: 10 * 60 * 1000, // 10 minutes
    codeLength: 6,             // 6 digits
    maxAttempts: 5,            // 5 wrong attempts
  },

  // Signup controls
  allowMagicLinkSignup: true,
  allowPhoneSignup: true,

  // Redirect security
  redirectAllowlist: [appUrl],
});

Storage, rate limiting, email, and SMS can be replaced with adapters through storage, rateLimitStore, emailProvider, and smsProvider.

Configuration reference

tokenPepper

A secret string used when hashing sessions, auth links, SMS codes, and API keys before storing them. If this option is omitted, Own Auth reads OWN_AUTH_TOKEN_PEPPER from the environment.

It is required in production. Generate it once, keep it secret, and do not change it unless you intend to invalidate existing sessions, links, codes, and API keys.

baseUrl

TypeDefaultDescription
stringhttp://localhost:3000Base URL used to create magic links, verification links, password reset links, and invitation links.

session

OptionTypeDefaultDescription
ttlMsnumber2592000000 (30 days)Maximum session lifetime in milliseconds.
idleTtlMsnumber604800000 (7 days)Session idle timeout. Verifying an active session extends this deadline.

password

OptionTypeDefaultDescription
minLengthnumber8Minimum password length.

New passwords are hashed with Argon2id. Existing scrypt hashes remain valid and are upgraded to Argon2id after a successful sign in. The hashing algorithm is not configurable.

Magic links

OptionTypeDefaultDescription
tokenTtlMs.magic_linknumber900000 (15 minutes)How long a magic link is valid.
allowMagicLinkSignupbooleantrueCreate a user when a valid magic link is used for an unknown email address.

Email verification

OptionTypeDefaultDescription
tokenTtlMs.email_verificationnumber86400000 (24 hours)How long an email verification link is valid.

Password reset

OptionTypeDefaultDescription
tokenTtlMs.password_resetnumber3600000 (1 hour)How long a password reset link is valid.

Phone and SMS

OptionTypeDefaultDescription
sms.otpTtlMsnumber600000 (10 minutes)How long an SMS code is valid.
sms.codeLengthnumber6Number of digits in the code.
sms.maxAttemptsnumber5Wrong attempts allowed before the code is invalidated.
allowPhoneSignupbooleantrueCreate a user when a valid phone login code is used for an unknown number.
smsProviderSmsProviderConsoleSmsProviderSends phone login and verification codes.

Invitations

OptionTypeDefaultDescription
tokenTtlMs.organisation_invitenumber604800000 (7 days)How long an organisation invitation is valid.

Email

Configure emailProvider to send auth emails using any email service. This is not needed if you use Own Auth Delivery.

OptionTypeDefaultDescription
emailProviderEmailProviderConsoleEmailProviderSends magic links, verification links, password reset links, and invitations.

The console provider is for development and does not send emails. Use Own Auth Delivery for managed auth email delivery.

Managed delivery

Use Own Auth Delivery to send magic links, verification links, password reset links, and invitations without connecting your own email service. See the Delivery setup guide.

ts
import { OwnAuthManagedEmailProvider, createOwnAuth } from "own-auth";

export const auth = createOwnAuth({
  tokenPepper: process.env.OWN_AUTH_TOKEN_PEPPER,
  emailProvider: new OwnAuthManagedEmailProvider({
    deliveryKey: process.env.OWN_AUTH_EMAIL_DELIVERY_KEY,
  }),
});
OptionTypeDescription
deliveryKeystringDelivery key from the Own Auth dashboard.

redirectAllowlist

An array of URLs allowed as absolute magic-link redirect targets. Relative redirect paths are allowed. The default is an array containing baseUrl.

Validation

createOwnAuth checks required runtime configuration when the auth instance is created. Without a database connection, it throws:

text
DATABASE_URL is required. Set DATABASE_URL or pass storage to createOwnAuth().

In production, a missing token pepper throws:

text
OWN_AUTH_TOKEN_PEPPER is required in production.

These errors happen when your application starts, before an auth method is called.

Next step

Start adding auth methods: Passwords, Magic links, or Phone login.