Auth & JWT
App-level auth settings — role hierarchy and JWT minting / verification configuration for the bearer-token fast-path.
The top-level auth config block holds provider-agnostic auth knobs that affect how Quickback emits the auth middleware, JWT helpers, and access-rule expansion.
export default defineConfig({
// ...
auth: {
roleHierarchy: ['member', 'admin', 'owner'],
jwt: {
expiresIn: 60,
issuer: 'my-api',
// audience, secretEnv, algorithm, revocationCheck...
},
},
});auth.roleHierarchy
Lowest-to-highest privilege list. Lets access rules use 'role+' shorthand to mean "this role and above". Documented in detail under Access — Role hierarchy.
auth.jwt — JWT bearer-token fast-path
Quickback ships its own custom HMAC-SHA256 JWT (not Better Auth's JWT plugin) so it can embed orgId and role claims the fast-path needs to reconstruct AppContext without a database round-trip. The signing secret is shared with Better Auth (BETTER_AUTH_SECRET) by default — users only manage one secret.
Behavior recap
- The browser SPA gets a JWT via the
set-auth-tokenresponse header on every authenticated call. - On subsequent requests the SPA sends
Authorization: Bearer <jwt>. - The auth middleware's fast-path verifies the signature only — no DB query, no session lookup.
AppContextis reconstructed from JWT claims. - If verification fails (or no JWT is present), the middleware falls back to session auth.
- After successful session auth, a fresh JWT is minted and returned via
set-auth-token. The cycle continues.
The fast-path is intentionally stateless: it trusts the claims for the full TTL. Stolen or pre-revocation tokens are valid until they expire. That's the trade-off the fast-path makes — and the reason expiresIn is the most-tuned knob below.
expiresIn?: number — TTL in seconds
Default 180 (3 minutes).
Lowering this shrinks the worst-case window where a stolen / pre-revocation token still works. Browser SPAs auto-refresh via set-auth-token on every authed call, so a low TTL is invisible to logged-in users; only stale server-to-server bearer tokens feel it.
auth: { jwt: { expiresIn: 30 } } // 30s — tight post-revocation window
auth: { jwt: { expiresIn: 3600 } } // 1h — longer-lived tokens for CLI / CIissuer?: string — iss claim
Default omitted.
Set this when other services need to distinguish JWTs minted by this Worker from other issuers. The compiler bakes the issuer into both the mint side (added to claims) and the verify side (rejects tokens with mismatched iss).
audience?: string — aud claim
Default omitted.
Set this when this Worker's JWTs are consumed by a sibling service that should reject tokens minted for a different audience. Same mint-and-verify treatment as issuer.
secretEnv?: string — signing secret env var
Default 'BETTER_AUTH_SECRET'.
Override this if you want JWT signing isolated from the Better Auth secret (e.g. rotating one without invalidating the other).
auth: { jwt: { secretEnv: 'CUSTOM_JWT_SECRET' } }The compiler emits c.env.CUSTOM_JWT_SECRET (or process.env.CUSTOM_JWT_SECRET on Bun/Node) in the auth middleware's verify and mint sites and the /api/v1/token endpoint.
Note: the files-worker (separate Worker for R2 access) still reads
BETTER_AUTH_SECRETdirectly. If you overridesecretEnv, set both env vars to the same value or the files worker's JWT verification will fall back to DB session lookup. ThreadingsecretEnvthrough the files worker is on the roadmap.
algorithm?: 'HS256'
Only HS256 is supported in 0.10.14. RS256 (asymmetric, public-key verify / private-key sign) is on the roadmap.
revocationCheck?: 'none' | 'kv' — token revocation strategy
Default 'none'.
| Value | Behavior | Cost per verify |
|---|---|---|
'none' | No revocation check. Stolen tokens valid until TTL expires. Use a low expiresIn to bound the replay window. | 0 |
'kv' | Fast-path consults a denylist KV namespace before accepting the token. Banning a user / revoking sessions writes the user's sub to the denylist. | 1 KV read (~5-15ms, edge-cached) |
The 'kv' path keeps the fast-path stateless against the auth DB (still 0 D1 queries) — KV reads on Workers are an order of magnitude cheaper than a D1 round trip and give sub-second revocation.
'kv'is deferred to 0.10.15. Setting'kv'in 0.10.14 errors at compile time so the migration path is explicit; the schema accepts it now so users can author their final config today.
Defaults preserve 0.10.13 behavior
Adding the auth.jwt block without setting any field is a no-op vs. the 0.10.13 baseline. Each missing field falls back to its hardcoded value:
| Field | Default |
|---|---|
expiresIn | 180 |
issuer | omitted |
audience | omitted |
secretEnv | 'BETTER_AUTH_SECRET' |
algorithm | 'HS256' |
revocationCheck | 'none' |
Tuning recommendations
- B2C SaaS, mostly browser traffic: keep defaults. The 180s TTL + auto-refresh model just works.
- Pentest engagement / enterprise compliance: set
expiresIn: 30. Tokens stay invisible to logged-in users (auto-refreshed every authed call) but stolen-token windows shrink to 30s. - CLI-heavy / long-running CI tokens:
expiresIn: 3600for one-hour bearer tokens. Pair withissuer/audienceif multiple services consume the same JWT. - Need immediate revocation: wait for 0.10.15's
revocationCheck: 'kv'. Or, today, drop TTL to ~30s — same effect with bounded delay.
Security Headers
Configure CSP, COOP, COEP, CORP, X-Frame-Options, HSTS, Referrer-Policy, and Permissions-Policy on every response from your generated Worker.
Compile Targets
Quickback compiles your definitions to one of two targets — a Hono API on Cloudflare/Neon, or PostgreSQL Row Level Security policies for Supabase.