All Case Studies

Developer Tools & Open Source

Open Source Authentication Framework

nauth-toolkit

Team

3+

Version

v0.3.0

License

MIT

Launch

Q2 2026

nauth-toolkit authentication framework

Overview

Why We Built It

After implementing auth across dozens of client projects — each with its own mix of MFA, social login, JWT strategies, and session management — we saw the same patterns repeated everywhere. The choice was always the same: accept SaaS vendor lock-in and per-user pricing, or stitch together scattered libraries and hope there are no gaps.

We extracted our battle-tested patterns into a fully open-source library, released under the permissive MIT license — every feature free, with no paid tiers or per-user pricing. Not a service — a framework-agnostic TypeScript package that lives in your codebase, under your control. NestJS, Express, and Fastify supported out of the box, with every feature modular and optional.

Architecture

How It Works

A framework-agnostic TypeScript core with adapters for NestJS (decorators + guards), Express, and Fastify on the backend, plus a framework-agnostic Client SDK and an Angular adapter for the frontend. Passwords are hashed with Argon2id (the Password Hashing Competition winner) under configurable, NIST-aligned password policies — common-password blocking and password-history reuse prevention included. JWT supports both RS256 and HS256, and refresh token rotation with reuse detection blocks token theft.

MFA is fully pluggable: TOTP authenticator apps, SMS and email codes, WebAuthn passkeys, and backup recovery codes — with adaptive, risk-based step-up triggered by new devices or location changes. Social auth for Google, Apple, and Facebook (web redirect and native mobile token flows) through a unified callback interface. CSRF protection, session and device management, and IP geolocation suspicious-login detection (MaxMind GeoIP2) are built in — not afterthoughts.

Everything pluggable down to the infrastructure: storage via memory, database, or Redis (with cluster); PostgreSQL and MySQL through TypeORM; email through Nodemailer SMTP, AWS SES, or Gmail; and SMS through AWS SNS or Twilio.

Backend Frameworks

NestJSExpressFastify

Frontend Client SDKs

Client SDKAngularReactVueSvelte

Core Technologies

TypeScriptArgon2idRS256/HS256WebAuthnTOTPOAuth 2.0TypeORMRedis

Features

What's included

01

Multi-Factor Authentication

TOTP authenticator apps, SMS and email codes, WebAuthn passkeys, and backup recovery codes. Adaptive, risk-based step-up by device and location. Pluggable strategies -- use one or combine several.

02

Social Authentication

Google, Apple, and Facebook OAuth with a unified callback interface. Add custom providers through the extensible adapter pattern.

03

Flexible Token Management

RS256 asymmetric and HS256 symmetric JWT signing. Refresh token rotation with reuse detection, distributed locks, and configurable expiry. HttpOnly cookies or bearer headers on the same backend.

04

Argon2id Password Hashing

Argon2id hashing (Password Hashing Competition winner) with configurable memory, iterations, and parallelism, plus NIST-aligned password policies -- common-password blocking and password-history reuse prevention.

05

Sessions, Devices & Security

Device tracking, trusted devices, single/limited/unlimited session modes, and revocation. CSRF protection, rate limiting, IP geolocation, and audit logging built in.

06

Framework Agnostic

TypeScript core with backend adapters for NestJS, Express, and Fastify, and frontend SDKs for Angular, React, Vue, and Svelte. Pluggable storage, database, email, and SMS adapters.

Integrations

Social auth providers

Google

OAuth 2.0 integration with Google Sign-In. Supports ID token verification, profile data retrieval, and account linking.

Apple

Sign in with Apple support including email relay, name sharing preferences, and cross-platform compatibility.

Facebook

Facebook Login with configurable scopes, profile data mapping, and long-lived token exchange.

Read the Documentation nauth.dev MIT licensed · v0.3.0

Ready to build something great?

Free 30-minute consultation — no obligations, just honest advice.

25+ Years Experience
5.0★ Google Rating
50+ Products Launched
100% Australian Owned