Tech USP: Login and permissions aren’t something you build — they’re the framework default. Email/password, JWT, sessions, roles, field-level access, row ownership — all built in.
Highlights
- Email/password with Argon2 + Identity-V3 migration (legacy hash verifier)
- JWT via jose,
jticlaim for session revocation - Sessions with
sessionCreator/Revoker/Checkercallbacks, auto-revoke on password change - Roles as typed string unions, not enums
- Field access read/write configurable per field
- Row ownership via
from()helper (user:id/claim:featureQn), straddle-safe multi-role check - Auth claims via
r.authClaims()— features write claims into the JWT, typed handles, auto-prefix - Anonymous access for public endpoints (
roles: ["anonymous"]) - Password reset + email verification with HMAC-signed tokens, silent success, login gate via config
- 2FA planned
Architecture deep dive
permissions— roles + ownership
Where this lands in the pitch
- EU mid-market: Implicit under “audit + compliance” (ISO 27001 requires session management)
- Indie hackers: Sub-argument under “AI builds everything” — auth is part of the generated backend