Cloudflare Auth is an independent open-source authentication kit for Cloudflare Workers applications. It provides self-deployed email/password auth, username login, magic links, email verification, password reset, D1-backed opaque sessions, local terminal email, and adapters for Hono and plain Workers. Developers own the Worker, D1 database, secrets, email configuration, and user data in their own Cloudflare account. This project is not affiliated with, endorsed by, or sponsored by Cloudflare.
npx --package @cf-auth/cli@latest cf-auth init my-app --template hono-basic
cd my-app
pnpm install
npx --package @cf-auth/cli@latest cf-auth migrate --local
npm run devThe local template runs auth at /auth, stores data in D1, prints development email links to the terminal, and uses an unprefixed local cookie on http://localhost.
npx --package @cf-auth/cli@latest cf-auth init
pnpm install
npx --package @cf-auth/cli@latest cf-auth migrate --local
npm run devMount the generated routes once:
app.route(authConfig.basePath, createAuthRoutes(authConfig));Development uses the terminal email adapter by default. Magic-link, verification, and reset URLs are printed locally and can optionally appear in the development outbox at /auth/dev/emails. Terminal email is rejected in preview and production.
npx --package @cf-auth/cli@latest cf-auth doctor --env production
npx --package @cf-auth/cli@latest cf-auth migrate --remote --env production
npx --package @cf-auth/cli@latest cf-auth deploy --env productionUse npx --package @cf-auth/cli@latest cf-auth deploy --migrate --env production when you want the CLI to run migration checks during deployment.
Run npx --package @cf-auth/cli@latest cf-auth doctor --report --env production when you need redaction-safe JSON for support or release records.
Cloudflare Auth stores only HMAC-hashed session and email tokens, uses versioned password hash envelopes, validates redirect targets before token creation, consumes magic and verification links only on POST, uses D1 rate limits with opaque derived keys, and keeps request-origin and redirect-origin allowlists separate.
Operational event queries are documented in docs/metrics.md. Event rows use HMACed IP and user-agent values and do not store raw identifiers, tokens, cookies, or passwords.
The v1 surface supports Hono and plain Cloudflare Workers. The browser client SDK is framework-agnostic.
The full command surface is documented in docs/cli.md.
See docs/troubleshooting.md for missing D1 bindings, unapplied migrations, secret setup, cookie issues, email binding failures, and package-name fallback commands.
Known v1 limitations are listed in docs/known-limitations.md.
OAuth, SAML, passkeys, MFA, organizations, hosted dashboards, hosted auth service, billing, and authorization roles are outside v1. See docs/non-goals.md.
Supported versions and vulnerability reporting instructions live in SECURITY.md.