Himayah LogoHimayah

Introduction

Himayah is a lightweight, type-safe, schema-first, and Edge-compatible authentication framework for modern TypeScript applications.

Himayah Logo

What is Himayah?

Himayah (حماية — Arabic for protection) is a framework-agnostic, schema-first TypeScript authentication library built for the modern web. Unlike monolithic auth providers, Himayah gives you complete ownership over your schema, your database, and your code — while handling all cryptographic, session, and rate-limiting complexities securely.

import { createAuth } from "@himayah/core";
import { createJWTSessionStore } from "@himayah/session";
import { passwordPlugin } from "@himayah/plugin-password";
import { drizzleAdapter } from "@himayah/adapter-drizzle";
 
export const auth = createAuth({
  adapter: drizzleAdapter(db, { users, sessions }),
  sessionStore: createJWTSessionStore({ secret: process.env.AUTH_SECRET! }),
  plugins: [passwordPlugin({ getPasswordHash, setPasswordHash })],
  baseUrl: process.env.APP_URL!,
});

Why Himayah?

Most auth libraries force you into one of two traps: either you give up full control to a third-party service, or you end up with a massive dependency that does too much magic. Himayah takes a different approach.

You own the schema

Himayah never touches your migrations. Define your tables, map them to our thin adapters, and you're done.

Runs anywhere

No Node.js-only crypto or fs calls. Runs natively on Cloudflare Workers, Vercel Edge, Deno, Bun, and traditional Node.

Composable by design

Pick exactly the plugins you need — password, OAuth, magic link, OTP, passkeys, or organizations. No tree-shaking puzzles.

Production-hardened security

PBKDF2-derived AES-256-GCM JWE sessions, constant-time comparisons, double-submit CSRF, and PKCE for OAuth. Secure by default.

Core Concepts

Session Model

Himayah sessions are stateless JWE tokens by default. The session pipeline works in two steps:

  1. PBKDF2-SHA256 stretches your AUTH_SECRET string into a proper 32-byte cryptographic key (100,000 iterations)
  2. AES-256-GCM uses that derived key to encrypt the session payload client-side inside an HttpOnly cookie

Think of PBKDF2 as the key factory and AES-256-GCM as the vault. Both are needed — PBKDF2 creates the key, AES-256-GCM uses it to encrypt.

// Reading a session anywhere in your app
const session = await auth.getSession(request);
 
if (session.ok) {
  console.log(session.data.userId);
  console.log(session.data.activeOrgId); // if organizations are enabled
}

If you need immediate session revocation (e.g., after a password change or account ban), you can opt into stateful database sessions:

import { createDatabaseSessionStore } from "@himayah/session";
 
sessionStore: createDatabaseSessionStore(adapter)

Plugin System

Every auth method is a plugin. Plugins register their own HTTP endpoints, validate inputs, and interact with the adapter. You compose them freely:

plugins: [
  passwordPlugin({ ... }),
  oauthPlugin({ providers: [github, google] }),
  magicLinkPlugin({ sendVerificationToken }),
  organizationPlugin(),
]

Adapter Pattern

Himayah defines a minimal set of database operations through the HimayahAdapter interface. Official adapters (Drizzle, Prisma, Kysely) implement this interface and map your existing schema tables to it.

You are never locked in. Because the adapter is a plain TypeScript interface, you can write a custom adapter for any database — MongoDB, Supabase, PlanetScale, etc.

Package Overview

PackagePurpose
@himayah/coreComposition engine, router, CSRF, session reading
@himayah/sessionJWE/JWS sessions, cookie utilities, stateful sessions
@himayah/adapterBase adapter interface and shared types
@himayah/clientType-safe browser API client
@himayah/plugin-passwordEmail + password credentials (PBKDF2-SHA256)
@himayah/plugin-oauthOAuth 2.0 + OIDC with PKCE and state verification
@himayah/plugin-magic-linkPasswordless email verification tokens
@himayah/plugin-otpSMS/email one-time passcodes
@himayah/plugin-passkeyWebAuthn biometric credentials
@himayah/plugin-organizationMulti-tenant orgs with roles and invitations
@himayah/middleware-honoHono middleware adapter
@himayah/middleware-expressExpress middleware adapter
@himayah/adapter-drizzleDrizzle ORM adapter
@himayah/adapter-prismaPrisma Client adapter
@himayah/adapter-kyselyKysely query builder adapter
@himayah/rate-limit-redisRedis-backed distributed rate limiting

Next Steps

Getting Started →

Install packages, set up your schema, and have auth running in 10 minutes.

Architecture →

Understand the session model, request lifecycle, and plugin composition.

Auth Plugins →

Explore password, OAuth, magic link, OTP, passkey, and org plugins.

Database Adapters →

Connect your Drizzle, Prisma, or Kysely schema.

Next

Getting Started

On this page