Hospitality & FinTech
Automated Tip Management Platform
Tip Sheet
Developer Tools & Open Source
nauth-toolkit
Team
3+
Version
v0.3.0
License
MIT
Launch
Q2 2026
After implementing auth across dozens of client projects — each with its own mix of MFA, social login, JWT strategies, and session management — we saw the same patterns repeated everywhere. The choice was always the same: accept SaaS vendor lock-in and per-user pricing, or stitch together scattered libraries and hope there are no gaps.
We extracted our battle-tested patterns into a fully open-source library, released under the permissive MIT license — every feature free, with no paid tiers or per-user pricing. Not a service — a framework-agnostic TypeScript package that lives in your codebase, under your control. NestJS, Express, and Fastify supported out of the box, with every feature modular and optional.
A framework-agnostic TypeScript core with adapters for NestJS (decorators + guards), Express, and Fastify on the backend, plus a framework-agnostic Client SDK and an Angular adapter for the frontend. Passwords are hashed with Argon2id (the Password Hashing Competition winner) under configurable, NIST-aligned password policies — common-password blocking and password-history reuse prevention included. JWT supports both RS256 and HS256, and refresh token rotation with reuse detection blocks token theft.
MFA is fully pluggable: TOTP authenticator apps, SMS and email codes, WebAuthn passkeys, and backup recovery codes — with adaptive, risk-based step-up triggered by new devices or location changes. Social auth for Google, Apple, and Facebook (web redirect and native mobile token flows) through a unified callback interface. CSRF protection, session and device management, and IP geolocation suspicious-login detection (MaxMind GeoIP2) are built in — not afterthoughts.
Everything pluggable down to the infrastructure: storage via memory, database, or Redis (with cluster); PostgreSQL and MySQL through TypeORM; email through Nodemailer SMTP, AWS SES, or Gmail; and SMS through AWS SNS or Twilio.
Backend Frameworks
Frontend Client SDKs
Core Technologies
TOTP authenticator apps, SMS and email codes, WebAuthn passkeys, and backup recovery codes. Adaptive, risk-based step-up by device and location. Pluggable strategies -- use one or combine several.
Google, Apple, and Facebook OAuth with a unified callback interface. Add custom providers through the extensible adapter pattern.
RS256 asymmetric and HS256 symmetric JWT signing. Refresh token rotation with reuse detection, distributed locks, and configurable expiry. HttpOnly cookies or bearer headers on the same backend.
Argon2id hashing (Password Hashing Competition winner) with configurable memory, iterations, and parallelism, plus NIST-aligned password policies -- common-password blocking and password-history reuse prevention.
Device tracking, trusted devices, single/limited/unlimited session modes, and revocation. CSRF protection, rate limiting, IP geolocation, and audit logging built in.
TypeScript core with backend adapters for NestJS, Express, and Fastify, and frontend SDKs for Angular, React, Vue, and Svelte. Pluggable storage, database, email, and SMS adapters.
OAuth 2.0 integration with Google Sign-In. Supports ID token verification, profile data retrieval, and account linking.
Sign in with Apple support including email relay, name sharing preferences, and cross-platform compatibility.
Facebook Login with configurable scopes, profile data mapping, and long-lived token exchange.
Free 30-minute consultation — no obligations, just honest advice.