v2.0.0-beta · MIT licensed · works with NestJS 10 & 11

Authentication that
scales with your stack

Sessions, MFA, OAuth, passwordless, multi-tenancy, RBAC, and an embedded admin console — for NestJS, JavaScript, and React. Type-safe end to end.

Read the docsQuickstartGitHub
$pnpm add @ackplus/nest-authCopy
Email + PasswordPhone OTPGoogleFacebookAppleGitHubMagic LinkTOTP / MFAAPI KeysCustom OAuthEmail + PasswordPhone OTPGoogleFacebookAppleGitHubMagic LinkTOTP / MFAAPI KeysCustom OAuth

Everything production auth needs

Nine ways to sign in, four MFA factors, three session backends — all wired up the moment you import the module.

Sessions you can trust

JWT access + refresh, header or HttpOnly-cookie mode, auto-refresh, refresh-queue dedup, password-hash-prefix invalidation.

MFA built in

TOTP, Email OTP, SMS OTP, recovery codes, and trusted-device tokens — opt-in or required.

Every login method

Email, phone, Google, Facebook, Apple, GitHub, passwordless, magic link, custom OAuth, API keys.

Multi-tenant first

Disabled, shared, or fully isolated modes. Tenant-aware decorators and request context out of the box.

RBAC with multiple guards

Roles and permissions per guard namespace (web, api, mobile). Decorator-driven; external IDP friendly.

Hook-driven extension

Every lifecycle moment is overridable — beforeSignup, onLogin, customizeSessionData, resolveRoles, and more.

Embedded admin console

A polished React UI for managing users, roles, permissions, tenants, and API keys. Zero deploy work.

Type-safe end to end

Shared contracts package powers backend, JS client, and React layer — break a DTO, break the build.

Production-ready defaults

Argon2id hashing, refresh-token rotation, sensible cookie flags, audit hook, structured error codes.

One flow, every method

Whether the user signs in with email, a magic link, or Google, the path is the same — and every step is a hook you can extend.

RequestPOST /auth/login
Verifycredentials + MFA
SessionDB / Redis / memory
TokensJWT or HttpOnly cookie
Protectedguards + roles + RBAC
app.module.ts
import { Module } from '@nestjs/common';
import { NestAuthModule, NestAuthEntities }
  from '@ackplus/nest-auth';

@Module({
  imports: [
    EventEmitterModule.forRoot(),
    TypeOrmModule.forRoot({ /* ... */,
      entities: [...NestAuthEntities] }),
    TypeOrmModule.forFeature([...NestAuthEntities]),
    NestAuthModule.forRoot({
      appName: 'My App',
      session: { jwt: { secret: process.env.JWT_SECRET! } },
    }),
  ],
})
export class AppModule {}

Wire up auth in three lines.

Drop NestAuthModule into your AppModule, register the entities, and you have signup, login, refresh, password reset, MFA, OAuth, and the rest of the API surface — all configurable via hooks and events.

  • Hook-driven extension surface — every lifecycle moment is overridable
  • NestAuthUser stores auth fields only — your AppUser holds the business data
  • Event emitter for async side effects (welcome emails, audit, role sync)
  • Database, Redis, or in-memory session backends
Backend quickstartReact quickstart
9
Auth methods
14
Entities included
12
Doc sections
<10 min
To first login

Four packages, one version

Pick the layer you need; types are shared across all of them.

@ackplus/nest-auth

NestJS backend module — controllers, guards, decorators, services.

Read the docs →
@ackplus/nest-auth-client

Framework-agnostic JS/TS client. Works in browsers, Node, RN.

Read the docs →
@ackplus/nest-auth-react

React provider, hooks, guards, and Next.js App Router helpers.

Read the docs →
@ackplus/nest-auth-contracts

Shared TS types — consumed by all three packages.

Read the docs →

Ship auth, not boilerplate.

Replace four libraries and a thousand lines of glue with one well-tested module. Designed for production from the first commit.

Install in 5 minutesStar on GitHub