Auth for TypeScript, done right.
Himayah is a lightweight, schema-first authentication framework. You own your database, your schema, and your code. We handle the hard parts.
import { createAuth } from "@himayah/core";
import { createJWTSessionStore } from "@himayah/session";
import { passwordPlugin } from "@himayah/plugin-password";
import { drizzleAdapter } from "@himayah/adapter-drizzle";
export const auth = createAuth({
adapter: drizzleAdapter(db, { users }),
sessionStore: createJWTSessionStore({
secret: process.env.AUTH_SECRET!,
}),
plugins: [
passwordPlugin({ getPasswordHash, setPasswordHash }),
],
baseUrl: process.env.APP_URL!,
});Everything you need, nothing you don't
Himayah ships with production-grade security defaults and a composable plugin system.
AES-256-GCM Sessions
Stateless JWE sessions encrypted client-side. Zero database round-trips on every request.
Plugin Composable
Mix and match password, OAuth, magic link, OTP, passkeys, and organizations. Pay only for what you use.
Bring Your Own Schema
Define your tables with Drizzle, Prisma, or Kysely. Himayah never owns your migrations.
Runs Anywhere
Cloudflare Workers, Vercel Edge, Deno, Bun, Node.js. Pure Web Crypto โ no native bindings.
Secure by Default
CSRF double-submit, constant-time comparisons, PKCE for OAuth, host-header spoofing protection.
Type-Safe Client
First-class TypeScript throughout. The browser client is a fully typed proxy of your server config.
How does Himayah compare?
Different tools for different needs. Here's an honest look at the tradeoffs.
| Feature | Himayah | NextAuth.js | Lucia | Auth.js |
|---|---|---|---|---|
| Schema ownership | โ Always yours | โ ๏ธ Adapter needed | โ Always yours | โ ๏ธ Adapter needed |
| Edge runtime | โ Native | โ ๏ธ Partial | โ Native | โ Native |
| Plugin composability | โ Full | โ ๏ธ Limited | โ DIY | โ ๏ธ Limited |
| Built-in OTP/Magic Link | โ Yes | โ No | โ No | โ No |
| Built-in Organizations | โ Yes | โ No | โ No | โ No |
| PKCE for OAuth | โ Yes | โ Yes | โ DIY | โ Yes |
| Framework agnostic | โ Yes | โ Next.js only | โ Yes | โ Yes |
Ready to add auth to your app?
Follow the getting started guide and have authentication running in under 10 minutes.
Get Started for free โ