Nest Authbeta

Production

Turning a working dev setup into something safe to ship.

A working signup form is not a production auth system. These pages cover what's left.

  • Sending Emails — wire EmailVerificationRequestedEvent, PasswordResetRequestedEvent, PasswordlessCodeRequestedEvent, etc., into Resend / SendGrid / SES / Postmark.
  • Sending SMS — same pattern for Twilio / MessageBird.
  • Customizing the JWT — add custom claims (subscriptionTier, appUserId) without bloating the token.
  • Production Checklist — HTTPS, cookie flags, secret rotation, refresh-token rotation, CSRF.
  • Rate Limiting@nestjs/throttler thresholds for /auth/login, /auth/passwordless/send, /auth/forgot-password.
  • Logging & DebuggingDebugLoggerService, the debug config, common log shapes.
  • Testing Your Auth — mocking guards, seeding test users, E2E flows.
  • Scaling — Redis sessions, multi-instance, sliding expiration trade-offs, N+1 patterns.
  • CORS & Security — required headers, CSRF posture, Helmet config.

Previous

Cross-Tab Sync

Next

Production