Open-source Auth-as-a-Service on Cloudflare Workers Password auth · OpenID Connect SSO · JWT + refresh tokens · User moderation · Deploy in 5 minutes
Live Playground · Dashboard · npm · Scaffolding CLI
No sign-up needed — try it now: Register → Login → OIDC SSO → Ban demo
npx create-nexus-auth my-app # scaffold a full auth app in one command
cd my-app && npm install && npm run devOr use the SDK directly:
import { AuthCore, AccountBannedError } from 'nexus-auth-sdk';
const auth = new AuthCore({ apiKey: 'nx_xxx' });
// Register (handles email verification / captcha automatically)
await auth.register({ email, password });
// Login returns JWT + Refresh Token
const { token, refreshToken, user } = await auth.login({ email, password });
// Verify any token (password login + OIDC auto-detected)
const { valid, source } = await auth.verifyAny(token); // source: 'jwt' | 'oidc'
// Named error classes — no hardcoded error strings
try { await auth.login({ email, password }); }
catch (e) {
if (e instanceof AccountBannedError) showBannedUI(e.reason);
else throw e;
} Your App (Browser) AuthCore Gateway
────────────────── ─────────────────
│ │
│ 1. POST /auth/register { email, password } │
│ ─────────────────────────────────────────────────► │
│ │
│ PBKDF2 100k + salt │
│ Store in D1 (users) │
│ Issue JWT + Refresh │
│ │
│ ◄───────────────────────────────────────────────── │
│ { token, refreshToken, user } │
│ │
│ 2. GET /auth/verify Bearer <token> │
│ ─────────────────────────────────────────────────► │
│ If account is banned → │
│ instant 403 response │
│ ◄───────────────────────────────────────────────── │
│ │
│ 3. JWT expires (1h), auto-refresh (SDK handles it) │
│ ─────────────────────────────────────────────────► │
│ ◄───────────────────────────────────────────────── │
│ { token (new), refreshToken (rotated) } │
OIDC SSO Client AuthCore Gateway
──────────────── ─────────────────
│ │
│ /oauth/authorize ?response_type=code &PKCE &state │
│ ─────────────────────────────────────────────────► │
│ │
│ User confirms on AuthCore consent page │
│ │
│ ◄── 302 redirect_uri ?code=xxx &state=yyy ────── │
│ │
│ POST /oauth/token { code, code_verifier } │
│ ─────────────────────────────────────────────────► │
│ ◄── { access_token, refresh_token, id_token (RS256) } │
│ │
│ GET /oauth/userinfo Bearer <access_token> │
│ ─────────────────────────────────────────────────► │
│ ◄── { sub, email, name, picture, email_verified } ── │
| AuthCore | Auth0 | Clerk | DIY | |
|---|---|---|---|---|
| Deploy | CF Workers, 5 min | Closed SaaS | Closed SaaS | Weeks to months |
| Price | Free (self-host) | From $25/mo | From $25/mo | Engineering cost |
| OIDC SSO | ✓ | ✓ | ✓ | Build it yourself |
| User ban / moderation | ✓ | Partial | Partial | Build it yourself |
| 14-day account deletion | ✓ | Partial | Partial | Build it yourself |
| Source code | MIT, fully open | ✗ | ✗ | Your code |
Authentication & Authorization
- Email + password registration with PBKDF2 (100k iterations + random salt)
- JWT (1h) + Refresh Token (30d sliding window)
- Full OpenID Connect Provider (RS256 + JWKS + PKCE + state/nonce validation)
- 6 OIDC endpoints + Google-style consent page
Security
- Brute-force protection (5 attempts / 15 min lockout)
- API key IP allowlist, SSRF protection, security headers
- Full account ban system (4 identity tables + permanent audit log)
- Named error classes (
AccountBannedError/ApiKeyBannedError/AppBannedError)
Compliance
- Self-service 14-day account deletion + cron hard-delete
- Public abuse report endpoint
/api/abuse/report(rate-limited) - Banned content retained 90 days for legal response
Developer Experience
- Webhooks with
app_idfield for multi-key routing - 4 granular 403 error codes propagated end-to-end through the SDK
- React hooks:
useAuth(),useOIDC()
| Directory | Description |
|---|---|
workers/nexus-gateway/ |
Auth gateway Worker (Hono + D1 + R2), entry: index.ts |
workers/nexus-gateway/sdk/ |
npm package nexus-auth-sdk source |
workers/migrations/ |
D1 database migration scripts |
create-authcore-app/ |
npm package create-nexus-auth — scaffolding CLI |
npx wrangler d1 create nexus-db
npx wrangler r2 bucket create nexus-avatarsAdd the database_id to workers/nexus-gateway/wrangler.toml.
cd workers/nexus-gateway
npx wrangler d1 execute nexus-db --file=../migrations/0004_api_keys.sql --remote
npx wrangler d1 execute nexus-db --file=../migrations/0005_oauth_codes.sql --remote
# ... run gateway-related SQL files in ordercd workers/nexus-gateway
npx wrangler secret put JWT_SECRET # random 32+ char string
npx wrangler secret put RESEND_API_KEY # Resend email API key
npx wrangler secret put PLATFORM_OWNERS # admin emails, comma-separatedcd workers/nexus-gateway && npx wrangler deploynpm install nexus-auth-sdk # SDK
npx create-nexus-auth my-app # scaffolding CLInexus-auth-sdk— 4 entry points:/(core),/react,/oidc,/oidc-reactcreate-nexus-auth— 3 templates: full (frontend + backend), oidc-only (SPA), backend-only
- Runtime: Cloudflare Workers + Hono + TypeScript
- Database: D1 (SQLite) + R2 (avatars)
- Email: Resend
- CAPTCHA: Alibaba Cloud ESA Edge CAPTCHA
MIT