Skip to content

Infrastructure

The pieces that sit under the auth flows: where server-side state is stored, how you throttle and lock out abuse, and where your app-specific side effects attach.

  • Storage & lifespan

    In-memory for dev, Redis for production, for sessions, CSRF, lockout, and one-time tokens. Plus the initialize() / shutdown() lifespan.

    Storage & lifespan →

  • Rate limiting & lockout

    Throttle any route with rate_limit(), and the escalating login lockout built into the auth flows.

    Rate limiting & lockout

  • Hooks

    AuthHooks callbacks for welcome emails, trial grants, and audit logging, fired across every auth path.

    Hooks →

Where to start

Pick the concern you're handling

Going to production? Start with Storage & lifespan and move state to Redis.

Protecting an endpoint from abuse, or tuning login lockout? Rate limiting & lockout.

Running side effects (welcome email, audit log) on auth events? Hooks.

Start with Storage & lifespan →