Skip to main content

Passwordless Auth for Cloudflare Workers — No External Service Required

· 3 min read
Larry Maccherone
Larry Maccherone
Founder Lumenize and Transformation.dev

If you're building on Cloudflare Workers and Durable Objects, you've probably wired up auth at least once — JWT validation, token refresh, key rotation, permission checking. It's not glamorous work, and bolting on an external auth service (Auth0, Clerk, Supabase Auth) means another dependency, another bill, another point of failure, and latency from round-trips to someone else's infrastructure.

@lumenize/auth is a different approach: passwordless authentication that runs entirely inside your Cloudflare Worker. No external service. No SDK. Just a Durable Object that handles magic-link login, JWT signing, refresh token rotation, and access control — all at the edge.

Why another auth library?

Because the existing options for Workers are either too heavy or too light:

  • External auth services add latency, cost, and a dependency on infrastructure you don't control. Your Workers are at the edge; your auth shouldn't be in us-east-1.
  • Rolling your own means re-solving key rotation, refresh token revocation, admin approval flows, and WebSocket auth every time.

@lumenize/auth sits in between. It's a single Durable Object (LumenizeAuth) that stores subjects (aka "users") in DO SQLite storage, signs Ed25519 JWTs, and exposes a handful of HTTP routes. You get:

Works with any Workers project

@lumenize/auth is the default auth for Lumenize Mesh, but it doesn't require Mesh at all. There are two pieces to wire up: auth endpoints (magic link, token refresh, invites) and JWT verification on your protected routes.

npm install @lumenize/auth

createAuthRoutes handles the first piece — it returns a handler with the signature (request: Request) => Promise<Response | undefined>. Wire it into your fetch handler; it returns a Response for auth routes and undefined for everything else, so it chains naturally with whatever routing you already have.

createRouteDORequestAuthHooks handles the second piece — JWT verification, two-phase access enforcement, and per-subject rate limiting, packaged as onBeforeRequest and onBeforeConnect hooks for routeDORequest. If you use Hono, honoAuthMiddleware wraps both pieces into clean route handlers so you don't need to wire hooks manually.

If you'd rather wire the contracts into your own routing, that's straightforward too — the auth header contract is just Authorization: Bearer {jwt} on every request to your DOs. See Integrating Alternative Auth for the exact requirements.

The getting started guide walks through both pieces end-to-end — key generation, Worker entry point, email provider (Resend in 5 minutes), and the optional Turnstile and rate limiting add-ons.

What's next

If you just need auth, start here. If you want the full mesh — where DOs, Workers, and browser clients are all equal peers with access control baked in — check out the Lumenize Mesh announcement.