account
User account management with encrypted storage.
Secure authentication & session management for Node.js
ORM-like modules for accounts, authentication, messengers, and sessions. Consistent APIs with encryption by default and industry-standard cryptographic algorithms.
Project highlights
OWASP
ASVS v5.0 Level 3
96%
Code coverage
SLSA 3
Supply chain security
Everything you need for secure auth
Secure by default
ChaCha20-Poly1305 encryption, Argon2id password hashing, HMAC-signed sessions, and timing-safe authentication out of the box.
Consistent APIs
ORM-like interface for accounts, credentials, messengers, and sessions. Encryption and decryption applied transparently.
Multi-factor auth
WebAuthn/FIDO2, recovery codes, and access tokens. Pluggable credential types with a unified authentication flow.
Multiple backends
DynamoDB, PostgreSQL, SQLite, and Cloudflare D1. Swap storage backends without changing your application code.
Per-record encryption
Every sensitive field is encrypted before storage with per-user derived keys. Digests are used for lookups instead of plaintext.
Battle-tested security
SAST, DAST, SCA, fuzzing, and performance benchmarks run on every commit. OpenSSF Scorecard and SLSA 3 compliant.
Core packages
Modular packages that work together or standalone.