Alex Spinov

Posted on Mar 29

Oslo Has Free Crypto & Auth Utilities for TypeScript — Here's How to Use Them

#typescript #security #crypto #webdev

Rolling your own crypto is dangerous. Using Node.js crypto directly is verbose and error-prone. Oslo provides battle-tested utilities for hashing, encoding, random generation, and more.

What Is Oslo?

Oslo is a collection of lightweight TypeScript packages for common security operations. Created by the same team behind Lucia and Arctic, it's designed for developers who need simple, correct crypto primitives.

Packages

Oslo is modular — install only what you need:

npm install @oslojs/crypto    # Hashing, HMAC, RSA
npm install @oslojs/encoding  # Base64, hex, base32
npm install @oslojs/jwt       # JWT creation and validation
npm install @oslojs/otp       # TOTP/HOTP for 2FA
npm install @oslojs/oauth2    # OAuth 2.0 utilities

Password Hashing

import { hash, verify } from "@oslojs/crypto/sha256";
import { encodeHexLowerCase } from "@oslojs/encoding";

// For password hashing, use argon2 or bcrypt instead
// Oslo SHA-256 is for data integrity, not passwords

import { hashPassword, verifyPassword } from "@oslojs/crypto/argon2";

const hashed = await hashPassword(password, {
  memorySize: 19456,
  iterations: 2,
  parallelism: 1
});

const valid = await verifyPassword(hashed, password);

TOTP (2FA)

import { createTOTPKeyURI, validateTOTP } from "@oslojs/otp";

// Generate secret for user
const secret = new Uint8Array(20);
crypto.getRandomValues(secret);

// Generate QR code URI for authenticator apps
const uri = createTOTPKeyURI("MyApp", "user@example.com", secret, {
  period: 30,
  digits: 6
});
// otpauth://totp/MyApp:user@example.com?secret=...&period=30&digits=6

// Validate user's code
const isValid = validateTOTP(secret, 30, 6, userCode);

Base64 Encoding

import { 
  encodeBase64, decodeBase64,
  encodeBase64url, decodeBase64url 
} from "@oslojs/encoding";

const encoded = encodeBase64(new TextEncoder().encode("Hello World"));
// "SGVsbG8gV29ybGQ="

const decoded = decodeBase64(encoded);
// Uint8Array

JWT Operations

import { createJWT, validateJWT } from "@oslojs/jwt";

const token = createJWT("HS256", secret, {
  sub: userId,
  exp: Math.floor(Date.now() / 1000) + 3600, // 1 hour
  iat: Math.floor(Date.now() / 1000)
});

const payload = validateJWT("HS256", secret, token);

Why Oslo Over Native Crypto

Task	Node.js crypto	Oslo
SHA-256 hash	5 lines	1 line
Base64 encode	`Buffer.from().toString()`	`encodeBase64()`
TOTP generation	30+ lines or library	`createTOTPKeyURI()`
JWT creation	Manual or jsonwebtoken	`createJWT()`
Type safety	Weak	Full TypeScript

Real-World Usage

Oslo powers the auth stack used by thousands of apps:

Arctic (OAuth) → uses Oslo encoding + crypto
Lucia (sessions) → uses Oslo crypto
Better Auth → compatible with Oslo

Key Benefits

Tree-shakeable — import only what you use
Zero dependencies — each package is standalone
TypeScript-first — full type inference
Web Crypto compatible — works in Node.js, Deno, Bun, edge runtimes
Audited primitives — no custom crypto, wraps proven algorithms

Get Started

Building secure applications? My Apify scrapers extract data securely from any website. Custom solutions: spinov001@gmail.com

DEV Community