The Security Library for
Modern Architectures

Kroxt is a premium, stack-aware authentication engine. Zero-config bootstrapping with npx kroxt init.

Explore Documentation Start Building ↗

lib/auth.ts

❯ npx kroxt init

? Choose your database adapter: mongoose

? Enable rate limiting defensive layer? Yes

? Create a boilerplate User model? Yes

✔ Created: src/lib/kroxt/auth.ts

✔ Created: src/lib/kroxt/user.model.ts

✔ Installed: kroxt, mongoose, dotenv

import { createAuth } from "kroxt";
 
export const auth = createAuth({
  adapter: authAdapter,
  secret: process.env.JWT_SECRET,
  
  // Global Security Configurations
  session: {
    expires: "15m",
    refreshExpires: "7d",
    enforceStrictRevocation: true // Real-time token validation
  },
  rateLimit: {
    max: 100, // Requests per minute limit
    windowMs: 60 * 1000
  },
  ipBlocking: {
    maxStrikes: 5, // Ban IPs after 5 failed login/refresh attempts
    blockDurationMs: 15 * 60 * 1000
  },
  passwordPolicy: {
    minLength: 6,
    requireUppercase: true,
    requireSpecialCharacter: true
  },
 
  jwt: {
    payload: (user, type) => {
      // Sign custom metadata into your JWTs securely
      if (type === "access") {
        return { role: user.role, schoolId: user.schoolId };
      }
      return {};
    }
  }
});

Core Ecosystem

Built for Scale.

Stack Agnostic

First-class support for Next.js, Nuxt, SvelteKit, Astro, Hono, Express, Koa, and Fastify—built organically from standard TypeScript.

Universal Adapters

Bring your own schema. Optimized out-of-the-box adapters for Prisma, Drizzle, Mongoose, and in-memory mock endpoints.

Global Revocation

Password-Linked Tokens natively embed hash fragments. Change a password to instantly invalidate all hijacked sessions.

IP Defense

Native Strike architecture throttles sequential brute-force stuffing without adding external Redis dependencies.

Policy Engine

Dynamic Dictionary and Regex guards automatically block weak payloads natively before hashing routines fire.

Argon2 Native

Integrated Argon2 Hashing with server-side peppering and salt-rotation natively handled before data persistence.

The Security Library forModern Architectures