authkit 0.1.0

A Rust authentication library supporting multiple hashing algorithms and databases.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291

AuthKit

A better-auth–inspired authentication library for Rust
Plug-and-play. Framework-agnostic. Opinionated, but extensible.

Overview

AuthKit is a Rust authentication library designed to feel like better-auth, but for the Rust ecosystem.

It provides:

A single Auth entry point

Opinionated defaults (secure by default)

Zero framework lock-in

Database-backed authentication using SQLx (Postgres / SQLite)

The same API across HTTP servers, CLIs, background workers, and proxies

AuthKit is not a framework, middleware, or ORM.
It is a self-contained authentication engine that you embed into your application.

Design Goals

AuthKit is built around the following non-negotiable principles:

1. Single Entry Point

Users interact with one object only: Auth.

let auth = Auth::builder()
    .database(Database::sqlite("auth.db").await?)
    .build()?;


No repositories.
No generics.
No leaked internals.

2. Framework-Agnostic by Design

AuthKit:

Does not depend on Axum, Actix, Rocket, Hyper, or Tower

Does not assume HTTP

Works equally well in:

CLI tools

REST APIs

gRPC services

Proxies (Pingora)

Background workers

Framework adapters live outside the core.

3. Opinionated Defaults, Explicit Overrides

AuthKit ships with:

Argon2id password hashing

Database-backed sessions

Secure token generation

Sensible expiry defaults

Users can override behavior explicitly, but never accidentally weaken security.

4. No Leaky Abstractions

AuthKit hides:

SQLx

Database schemas

Crypto implementations

Token formats

Users never interact with:

Traits

Repositories

Lifetimes

Generic parameters

5. Same API Everywhere
auth.register(Register { ... }).await?;
auth.login(Login { ... }).await?;
auth.verify(token).await?;
auth.logout(token).await?;


These calls behave identically whether invoked from:

an HTTP handler

a CLI command

a test

a background task

Non-Goals

AuthKit intentionally does not attempt to:

Be an OAuth provider (may integrate later)

Replace application authorization logic

Act as a user management UI

Tie itself to any web framework

Example Usage
Create an Auth Instance
use authkit::prelude::*;

let auth = Auth::builder()
    .database(Database::sqlite("auth.db").await?)
    .build()?;

Register a User
auth.register(Register {
    email: "user@example.com".into(),
    password: "secure-password".into(),
}).await?;

Login
let session = auth.login(Login {
    email: "user@example.com".into(),
    password: "secure-password".into(),
}).await?;

Verify a Session
let user = auth.verify(&session.token).await?;

Logout
auth.logout(&session.token).await?;

Architecture
Auth
 └── AuthInner (Arc)
     ├── Database (trait object)
     ├── PasswordStrategy
     └── SessionStrategy


Key characteristics:

Auth is cheap to clone

Internals are hidden

Components are swappable

No global state

Database Support

Currently supported:

SQLite

PostgreSQL

Backed by SQLx, but SQLx is not exposed.

AuthKit manages:

Schema

Migrations

Versioning

auth.migrate().await?;

Security Defaults
Feature	Default
Password hashing	Argon2id
Timing-safe compares	Enabled
Session expiration	Enabled
Token entropy	High
Password reuse	Prevented
Weak passwords	Rejected

Security-sensitive behavior requires explicit opt-out.

Feature Flags
[features]
default = ["sqlite", "argon2"]

sqlite = ["sqlx/sqlite"]
postgres = ["sqlx/postgres"]
argon2 = []
jwt = []

Adapters

Adapters translate framework-specific concepts into AuthKit calls.

Planned adapters:

Axum

Actix

Rocket

Hyper

Pingora

CLI helpers

Adapters contain no authentication logic.

Project Status

Current phase: Foundation

Implemented / In Progress:

Core Auth API

Builder pattern

SQLite backend

Password hashing

Database sessions

Planned:

PostgreSQL backend

Axum adapter

JWT sessions

Refresh tokens

Audit logging

Contribution Guidelines (Agents)

If you are contributing to this project:

You MUST:

Preserve the single-entry-point design

Avoid exposing generics or traits publicly

Keep framework dependencies out of core

Prefer composition over configuration

Default to secure behavior

You MUST NOT:

Add framework-specific logic to core

Leak SQLx types into the public API

Introduce global state

Require users to wire repositories manually

If a change makes the API feel less like better-auth, it is probably wrong.

License

MIT / Apache-2.0 (TBD)