EpicAuth: One API for Authentication Everywhere

The Problem

Authentication is the most rewritten, most fragile layer in modern web development. Every framework ships its own approach, and none of them interoperate:

• Next.js → NextAuth/Auth.js with custom adapters, callbacks, and session strategies
• Nuxt → Nuxt Auth / Sidebase with completely different plugin and config semantics
• SvelteKit → Lucia or bespoke solutions wired into hooks
• Remix → DIY cookie sessions or a patchwork of community packages
• Express/Fastify → Passport.js (aging) or hand-rolled middleware
• React Native → Expo AuthSession or platform-specific packages

This fragmentation creates systemic problems for teams and companies:

1. Auth is rewritten for every project
   You master one framework’s auth, then switch stacks and start from scratch. The concepts are similar, but the APIs, edge cases, and failure modes are all different.

2. Security knowledge doesn’t transfer
   Each implementation has its own security footprint. Session handling, CSRF, token rotation, cookie flags, and rate limiting all differ. Fixing a vulnerability in your Next.js app does nothing for your Nuxt or SvelteKit apps.

3. Framework migration is painful
   Moving from Next.js to Remix or from SvelteKit to Nuxt? The auth layer is the hardest part to migrate. It touches sessions, middleware, DB schemas, and routing. Teams routinely delay framework migrations because auth is too entangled.

4. Inconsistent user experience across products
   A company might have a Next.js marketing site, a SvelteKit dashboard, and a React Native mobile app. Today, users log in separately to each one. Sessions and auth state can’t be shared cleanly.

5. Security becomes an afterthought
   Because auth is tedious and framework-specific, developers cut corners: weak password hashing, missing rate limiting, no brute-force protection, and unsafe token storage. Security bugs are the norm, not the exception.

The Solution: EpicAuth

EpicAuth is a universal authentication library that provides one API across every JavaScript framework and platform. You define your auth logic once, and it works identically in:

• Next.js
• Nuxt
• SvelteKit
• Remix
• Express/Fastify
• React Native
• Vanilla JavaScript and more

Your mental model, your tests, and your security posture become portable.

How It Works

1. One Configuration, Every Framework

You define your auth configuration once: providers, session strategy, and user model. EpicAuth handles the rest.

const auth = createAuth({
  providers: [
    github({ clientId, clientSecret }),
    google({ clientId, clientSecret }),
    emailPassword({ hashAlgorithm: "argon2id" }),
    magicLink({
      sendEmail: async (email, link) => {
        // Your email delivery logic
      },
    }),
    passkey(),
  ],
  session: {
    strategy: "database",
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
  adapter: prismaAdapter(prisma),
});

That same auth object is used across all supported frameworks. EpicAuth adapts to each framework’s request/response model automatically.

2. Framework Adapters Handle the Plumbing

EpicAuth ships first-class adapters that integrate with each framework’s native patterns:

• Next.js → Middleware, Route Handlers, Server Actions, and RSC support
• SvelteKit → hooks.server, load functions, and form actions
• Nuxt → Server routes, plugins, and composables
• Remix → Loaders, actions, and session management
• Express/Fastify → Middleware and route handlers
• React Native → Secure storage, biometric auth, and deep link handling

You write your auth logic once and drop it into each environment using the idioms that framework expects.

3. Security by Default

EpicAuth bakes in security best practices that most custom implementations miss:

• Argon2id password hashing (not bcrypt), with automatic salt generation and sane defaults
• CSRF protection on every mutation endpoint
• Rate limiting on login, registration, and password reset flows
• Brute-force protection with exponential backoff and account lockout
• Secure cookie configuration: HttpOnly, Secure, SameSite=Lax, and proper path scoping
• Token rotation with sliding window refresh
• Passkey/WebAuthn support for passwordless authentication
• Global session invalidation across all devices on password change or account compromise

Security isn’t an optional add-on; it’s the default.

4. Cross-Platform Session Sharing

For organizations with multiple apps, EpicAuth can share sessions across products using signed, encrypted session tokens.

• Log in on the Next.js marketing site → you’re automatically authenticated on the SvelteKit dashboard and React Native app.
• Centralized session management and revocation across all surfaces.

This enables a unified user experience across web, mobile, and internal tools without a centralized SaaS auth provider.

Key Differentiators

1. True Universality
   EpicAuth isn’t just “compatible with multiple frameworks.” The same code runs identically across all of them. Your:

   • Auth tests
   • Security policies
   • Mental model all transfer perfectly between stacks.

2. Zero-Config Security
   Best practices are enabled by default. You don’t have to remember to turn on CSRF, rate limiting, or secure cookies. It’s much harder to accidentally ship weak auth.

3. Passkey-First
   Native WebAuthn/passkey support positions EpicAuth for the passwordless future, while still supporting email/password, magic links, and OAuth.

4. Database-Agnostic
   Adapters for:

   • Prisma
   • Drizzle
   • Mongoose
   • Supabase
   • PlanetScale
   • Raw SQL

   You bring your own database and keep full control over your data model.

5. Self-Hosted by Default
   Your auth data lives in your database. There’s no third-party auth service, no opaque black box, and no per-user pricing that explodes as you scale.

Adoption & Traction

EpicAuth is already proving its value in production:

• 30,000+ weekly npm downloads, growing 15% week-over-week
• 12 frameworks supported with first-party adapters
• 500+ production applications using EpicAuth as their primary auth layer
• Zero reported security vulnerabilities since launch, verified by two independent security audits
• NPS of 82 — developers consistently praise the consistency and security defaults
• $520K ARR from premium features and enterprise support

These metrics validate both the demand for a universal auth solution and EpicAuth’s ability to deliver it safely at scale.

Business Model

EpicAuth is built to be the most compelling option for teams that want control, security, and predictable pricing.

1. Open-Source Core (Free Forever)

The core library is fully open-source and free:

• All authentication methods (OAuth, email/password, magic link, passkeys)
• All framework adapters
• All database adapters
• All core security features

This is the full product, not a crippled free tier. Teams can run EpicAuth end-to-end without paying a cent.

2. EpicAuth Pro — $29/team/month

A low-friction upgrade for growing teams that need visibility and control:

• Admin dashboard with user management UI
• Session analytics and login activity monitoring
• Built-in email templates for auth flows
• Multi-tenancy support for SaaS products

3. Enterprise — $199/month

For B2B and compliance-sensitive customers:

• SSO/SAML support for enterprise logins
• Compliance documentation (SOC 2, HIPAA)
• Advanced audit logs and traceability
• Custom branding for hosted experiences
• Priority support and SLA

This model combines the cost efficiency of self-hosting with the operational polish of a managed service.

Market Opportunity

Authentication is a $15B market, spanning both:

• Auth-as-a-service (Auth0, Clerk, Supabase Auth)
  Easy to start, but:

  • Expensive at scale (often $0.05–$0.23 per user/month)
  • Create vendor lock-in
  • Move your most sensitive data to a third party

• Self-hosted libraries (Passport.js, Lucia, NextAuth)
  Free and self-controlled, but:

  • Framework-specific and fragmented
  • Security-incomplete
  • Require significant in-house expertise to get right

EpicAuth occupies the missing middle:

• The security and completeness of a managed service
• The control and cost efficiency of self-hosted
• The universality that neither category offers today

With 28M+ JavaScript developers and authentication required for virtually every application with user accounts, EpicAuth’s addressable market effectively spans the entire web application ecosystem.

Team

EpicAuth is built by a team with deep, relevant experience:

• Creator — Former Auth0 senior engineer who helped build the Universal Login platform. Saw firsthand how expensive and lock-in-prone auth services become, and how self-hosted alternatives fail to meet real-world needs.

• Co-founder — OWASP contributor and security researcher who has published on authentication vulnerabilities in popular frameworks. Owns EpicAuth’s security posture and ensures the implementation tracks state-of-the-art best practices.

• Lead Engineer — Former Vercel engineer who worked on Next.js middleware and server actions. Brings deep expertise in framework integration, edge runtimes, and performance.

Why Now

• Framework diversity is exploding: Next.js, Remix, SvelteKit, Nuxt, SolidStart, and more.
• Teams increasingly operate multi-framework, multi-platform stacks.
• Passkeys and WebAuthn are reshaping how authentication works across devices.

The industry needs an auth solution that is:

• Universal across frameworks and platforms
• Secure by default
• Self-hosted and cost-efficient
• Ready for a passwordless future

EpicAuth delivers exactly that.

---

EpicAuth: One API. Every framework. Every platform. Authentication that’s as universal as the web itself.