Authentication Overview
Velox TS ships with two authentication strategies — JWT for stateless APIs and sessions for server-rendered apps — plus guards, policies, rate limiting, and password hashing. Choose one strategy or combine them depending on your deployment model.
Quick Comparison
Section titled “Quick Comparison”| Feature | JWT | Sessions |
|---|---|---|
| Storage | Client (token) | Server (store) |
| Scalability | Stateless | Requires shared store |
| Revocation | Difficult | Easy |
| Use case | APIs, mobile | Web apps, SSR |
JWT Authentication
Section titled “JWT Authentication”Token-based, stateless authentication with access/refresh token pairs:
import { jwtManager, authPlugin, authenticated } from '@veloxts/auth';
// Configure JWT with access and refresh tokensconst jwt = jwtManager({ secret: process.env.JWT_SECRET!, refreshSecret: process.env.JWT_REFRESH_SECRET!, accessTokenExpiry: '15m', refreshTokenExpiry: '7d',});
await app.register(authPlugin, { jwt });
// Protect procedures with guardsgetProfile: procedure() .guard(authenticated) .query(({ ctx }) => ctx.user),Session Authentication
Section titled “Session Authentication”Cookie-based, server-side sessions with secure defaults:
import { sessionMiddleware, inMemorySessionStore } from '@veloxts/auth';
const session = sessionMiddleware({ secret: process.env.SESSION_SECRET!, // 32+ chars store: inMemorySessionStore(), // Use Redis in production cookie: { secure: true, httpOnly: true, sameSite: 'lax', }, userLoader: async (userId) => db.user.findUnique({ where: { id: userId } }),});
// Protect proceduresgetProfile: procedure() .use(session.required()) .query(({ ctx }) => ctx.user),Guards
Section titled “Guards”Protect procedures with authorization checks:
import { authenticated, hasRole, hasPermission } from '@veloxts/auth';
// Must be logged in.guard(authenticated)
// Must have specific role.guard(hasRole('admin'))
// Must have permission.guard(hasPermission('users:write'))
// Chain multiple guards.guard(authenticated).guard(hasRole('editor'))Guards narrow ctx.user type - after authenticated, ctx.user is guaranteed to exist.
Authentication Adapters
Section titled “Authentication Adapters”Integrate third-party authentication providers like Clerk, Auth0, or Better Auth:
import { createClerkAdapter } from '@veloxts/auth/adapters';import { createAuthAdapterPlugin } from '@veloxts/auth';
const adapter = createClerkAdapter({ name: 'clerk', clerk: createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY! }),});
const authPlugin = createAuthAdapterPlugin({ adapter, config: adapter.config });app.register(authPlugin);Learn more about Auth Adapters
Templates
Section titled “Templates”Quick start with authentication:
npx create-velox-app my-app --authnpx create-velox-app my-app --rsc-authRelated Content
Section titled “Related Content”- Auth Adapters - Clerk, Auth0, Better Auth integration
- JWT - Token authentication
- Sessions - Cookie-based auth
- Guards - Authorization