Skip to main content

Overview

The AuthConfig interface defines all configuration options for initializing Arraf Auth with createAuth. 
interface AuthConfig {
  secret: string
  database: DatabaseAdapter
  session?: SessionConfig
  providers?: OAuthProvider[]
  plugins?: Plugin[]
  sms?: SMSProvider
  otp?: OTPConfig
  trustedOrigins?: string[]
}

Fields

secret
string
required
A secret key used for signing and encrypting session tokens. This should be a long, random string stored securely in environment variables.
Never commit your secret to version control. Use environment variables like process.env.AUTH_SECRET.
secret: process.env.AUTH_SECRET!
database
DatabaseAdapter
required
The database adapter instance for persisting users, sessions, accounts, and verifications.
import { DrizzleAdapter } from "@arraf-auth/adapter-drizzle"
import { db } from "./db"

database: DrizzleAdapter(db)
See Database Adapter API, Prisma Adapter, and Drizzle Adapter for details.
session
SessionConfig
Session configuration including strategy, expiration, and cookie settings. Defaults to JWT strategy with 7 days expiration.See SessionConfig for all available options.
session: {
  strategy: "database",
  expiresIn: "30d",
  cookieName: "auth_token",
}
providers
OAuthProvider[]
Array of OAuth providers for social authentication (Google, GitHub, etc.).
import { Google, GitHub } from "@arraf-auth/providers"

providers: [
  Google({
    clientId: process.env.GOOGLE_CLIENT_ID!,
    clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
  }),
  GitHub({
    clientId: process.env.GITHUB_CLIENT_ID!,
    clientSecret: process.env.GITHUB_CLIENT_SECRET!,
  }),
]
See OAuth Provider API, Google Provider, and GitHub Provider for details.
plugins
Plugin[]
Array of plugins to extend Arraf Auth functionality with custom routes and hooks.
interface Plugin {
  id: string
  routes?: Record<string, RouteHandler>
  hooks?: PluginHooks
}
Plugins can add custom routes and lifecycle hooks for sign-in, sign-up, and OTP verification events.
sms
SMSProvider
SMS provider for sending OTP codes via text message.
interface SMSProvider {
  send(params: SMSSendParams): Promise<SMSSendResult>
}

interface SMSSendParams {
  to: string
  message: string
}
See SMS Provider API for implementation details and examples.
otp
OTPConfig
Configuration for one-time password (OTP) behavior including length, expiration, and message templates.See OTPConfig for all available options.
otp: {
  length: 6,
  expiresIn: 300, // 5 minutes in seconds
  maxAttempts: 3,
}
trustedOrigins
string[]
Array of trusted origin URLs for CORS and CSRF protection. Requests from origins not in this list will be rejected.
trustedOrigins: [
  "http://localhost:3000",
  "https://app.example.com",
]
Always include all domains where your frontend application runs.

Complete Example

import { createAuth } from "@arraf-auth/core"
import { DrizzleAdapter } from "@arraf-auth/adapter-drizzle"
import { Google, GitHub } from "@arraf-auth/providers"
import { Twilio } from "@arraf-auth/sms-twilio"
import { db } from "./db"

const auth = createAuth({
  secret: process.env.AUTH_SECRET!,
  
  database: DrizzleAdapter(db),
  
  session: {
    strategy: "database",
    expiresIn: "30d",
    cookieName: "session_token",
    cookieOptions: {
      secure: true,
      sameSite: "lax",
    },
  },
  
  providers: [
    Google({
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
    }),
    GitHub({
      clientId: process.env.GITHUB_CLIENT_ID!,
      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
    }),
  ],
  
  sms: Twilio({
    accountSid: process.env.TWILIO_ACCOUNT_SID!,
    authToken: process.env.TWILIO_AUTH_TOKEN!,
    fromNumber: process.env.TWILIO_PHONE_NUMBER!,
  }),
  
  otp: {
    length: 6,
    expiresIn: 600, // 10 minutes
    maxAttempts: 5,
    messageTemplate: (otp, appName) => 
      `Your ${appName || "App"} verification code is: ${otp}`,
  },
  
  trustedOrigins: [
    "http://localhost:3000",
    "https://app.example.com",
  ],
})

export const { handler, getSession } = auth

Build docs developers (and LLMs) love

Get started for freeTalk to us