The latest articles on DEV Community by Dhruv Agnihotri (@dhruv_agnihotri_064dad7e4). https://dev.to/dhruv_agnihotri_064dad7e4 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3747015%2Fbe3a3d97-2605-4826-97f0-1e08831407d3.png https://dev.to/dhruv_agnihotri_064dad7e4 en Dhruv Agnihotri Tue, 03 Feb 2026 01:13:05 +0000 https://dev.to/dhruv_agnihotri_064dad7e4/i-built-a-free-auth0-alternative-that-gives-you-20-routes-in-one-line-of-code-28nl https://dev.to/dhruv_agnihotri_064dad7e4/i-built-a-free-auth0-alternative-that-gives-you-20-routes-in-one-line-of-code-28nl <p><strong>TL;DR:</strong> Open-source auth that costs <strong>$0/year</strong> (vs $2,880+ for Auth0), sets up in <strong>2 minutes</strong>, gives you <strong>20+ production routes</strong> in one line, and includes an <strong>industry-first "smart cookie fallback"</strong>. Both packages work <strong>independently or together</strong>. I'm using it in production for my own projects.</p> <p><strong>🔗 Links:</strong> <a href="https://github.com/Dhruvagnihotri/headlesskits" rel="noopener noreferrer">HeadlessKit Hub</a> • <a href="https://www.npmjs.com/package/@headlesskits/react-headless-auth" rel="noopener noreferrer">React (NPM)</a> • <a href="https://pypi.org/project/flask-headless-auth/" rel="noopener noreferrer">Flask (PyPI)</a> • <a href="https://github.com/Dhruvagnihotri/react-headless-auth" rel="noopener noreferrer">React GitHub</a> • <a href="https://github.com/Dhruvagnihotri/flask-headless-auth" rel="noopener noreferrer">Flask GitHub</a></p> <h2> Table of Contents </h2> <ul> <li> The Problem - Why existing solutions fall short</li> <li> Meet HeadlessKit - Three architectures, one system</li> <li> Architecture - How it works under the hood</li> <li> 2-Minute Setup - Get started instantly</li> <li> What You Get - 20+ routes, complete state management</li> <li> Smart Cookie Fallback - Industry-first feature</li> <li> JWT-Aware Refresh - Intelligent token management</li> <li> Comparison Table - vs NextAuth, Clerk, Auth0, Supabase</li> <li> Production Use Cases - Real-world examples</li> <li> Extensibility - Hooks, custom models, OAuth</li> <li> Security - OWASP-compliant, production-ready</li> <li> Get Started - Installation instructions</li> <li> Roadmap - What's next</li> </ul> <h2> The $2,880+/Year Problem <a id="the-2880year-problem"></a> </h2> <p>You're building a new app. You need authentication. Your options?</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Solution</th> <th>Cost/Year</th> <th>Setup Time</th> <th>The Catch</th> </tr> </thead> <tbody> <tr> <td><strong>Auth0</strong></td> <td>$2,880+</td> <td>20 min</td> <td>Vendor lock-in, expensive (Professional: $240/mo)</td> </tr> <tr> <td><strong>Clerk</strong></td> <td>$300+</td> <td>15 min</td> <td>Vendor lock-in, expensive with add-ons ($100/mo each)</td> </tr> <tr> <td><strong>NextAuth</strong></td> <td>Free</td> <td>30 min</td> <td>Manual backend, DIY security</td> </tr> <tr> <td><strong>Supabase</strong></td> <td>Free tier</td> <td>15 min</td> <td>Limited, vendor lock-in</td> </tr> <tr> <td><strong>Build it yourself</strong></td> <td>Free</td> <td>2-3 weeks</td> <td>JWT rotation, OAuth, MFA, password reset...</td> </tr> </tbody> </table></div> <p>I faced this exact problem for my side projects (<a href="https://pdfcourt.com" rel="noopener noreferrer">PDFCourt.com</a> and <a href="https://shuffleturn.com" rel="noopener noreferrer">ShuffleTurn.com</a>). As an indie developer, I couldn't justify $240-300/month for basic auth. But building from scratch meant weeks of work handling JWT rotation, OAuth, token refresh, password reset flows, email verification...</p> <p><strong>So I built this library. And now I'm open-sourcing it.</strong></p> <h3> What This Is </h3> <ul> <li>✅ <strong>MIT licensed</strong> - Use it however you want</li> <li>✅ <strong>Self-hosted</strong> - Your data, your server</li> <li>✅ <strong>No vendor lock-in</strong> - Standard JWT, REST APIs</li> <li>✅ <strong>Battle-tested</strong> - Running my own production apps</li> <li>✅ <strong>Actively maintained</strong> - I use this daily, so I keep it updated</li> </ul> <h3> What This Isn't </h3> <ul> <li>❌ Not trying to replace Auth0/Clerk for enterprises</li> <li>❌ Not a VC-backed startup (just an indie dev)</li> <li>❌ Not claiming thousands of users (yet!)</li> <li>❌ Not promising 24/7 support</li> </ul> <p><strong>This is a tool I built for myself and am sharing with the community. If it helps you, awesome!</strong></p> <h2> Meet HeadlessKit Authentication <a id="meet-headlesskit-authentication"></a> </h2> <p>Two packages. Three ways to use them. Zero vendor lock-in.</p> <h3> 📦 The Packages </h3> <p><strong>Frontend:</strong> <code>@headlesskits/react-headless-auth</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @headlesskits/react-headless-auth </code></pre> </div> <p><strong>Backend:</strong> <code>flask-headless-auth</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>flask-headless-auth </code></pre> </div> <h3> 🏗️ Three Architectures, One System </h3> <h4> 1️⃣ Full Stack (React + Flask) </h4> <p><strong>Use case:</strong> New projects, rapid prototyping, maximum convenience<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Backend: One line </span><span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Frontend: One component</span> <span class="p">&lt;</span><span class="nc">AuthProvider</span> <span class="na">config</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:5000</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">App</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> </code></pre> </div> <p><strong>Result:</strong> Complete auth system in 2 minutes. 20+ routes. Zero config.</p> <h4> 2️⃣ Backend Only (Flask → Any Frontend) </h4> <p><strong>Use case:</strong> You have Vue/Angular/Svelte/Mobile app, need a backend<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="c1"># 20+ REST endpoints ready </span></code></pre> </div> <p><strong>Works with:</strong></p> <ul> <li>Vue, Angular, Svelte, Solid.js</li> <li>React Native, Flutter, iOS, Android</li> <li>Desktop apps (Electron, Tauri)</li> <li>ANY HTTP client</li> </ul> <p><strong>What you get:</strong> Production-ready REST API with JWT auth, OAuth, MFA, password reset, email verification. Just point your frontend to the endpoints.</p> <h4> 3️⃣ Frontend Only (React → Any Backend) </h4> <p><strong>Use case:</strong> You have Express/Django/FastAPI backend, need a frontend<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">AuthProvider</span> <span class="na">config</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-api.com</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">App</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> </code></pre> </div> <p><strong>Works with:</strong> Express, Django, FastAPI, .NET, Rails, Go, Rust...</p> <p><strong>What you need:</strong> Implement 5 simple endpoints:</p> <ul> <li> <code>POST /api/auth/login</code> → <code>{ user, access_token, refresh_token }</code> </li> <li> <code>POST /api/auth/signup</code> → <code>{ user, access_token, refresh_token }</code> </li> <li> <code>GET /api/auth/user/@me</code> → <code>{ user }</code> </li> <li> <code>POST /api/auth/logout</code> → <code>{ message }</code> </li> <li> <code>POST /api/auth/token/refresh</code> → <code>{ access_token, refresh_token }</code> </li> </ul> <p><strong>Bonus:</strong> The React package uses a framework-agnostic core. Import <code>AuthClient</code> directly for Vue, Svelte, or vanilla JS.</p> <h2> Architecture Overview <a id="architecture-overview"></a> </h2> <p>Understanding how HeadlessKit works under the hood helps you make informed decisions and extend it effectively.</p> <h3> Core Design Principles </h3> <p><strong>1. Framework-Agnostic Core</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ React Layer │ │ AuthProvider, useAuth, hooks │ └──────────────┬──────────────────────────┘ │ ▼ ┌─────────────────────────────────────────┐ │ Framework-Agnostic Core │ │ AuthClient + TokenStorage │ │ (Works with ANY framework) │ └──────────────┬──────────────────────────┘ │ ▼ ┌─────────────────────────────────────────┐ │ Backend API │ │ Flask/Express/Django/FastAPI │ └─────────────────────────────────────────┘ </code></pre> </div> <p>The React components are a thin wrapper around <code>AuthClient</code>, which handles all auth logic. This means:</p> <ul> <li>Easy to port to Vue, Svelte, Angular</li> <li>Can use directly in Node.js or React Native</li> <li>Business logic stays framework-independent</li> </ul> <h3> Authentication Flow </h3> <p><strong>Login/Signup Flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User submits credentials └─&gt; AuthClient.login(email, password) └─&gt; POST /api/auth/login └─&gt; Backend validates credentials └─&gt; Returns { user, access_token, refresh_token } └─&gt; TokenStorage detects cookie support ├─&gt; ✅ Cookies work → Store in httpOnly cookies └─&gt; ❌ Cookies blocked → Store in localStorage └─&gt; Schedule automatic token refresh └─&gt; User object stored in React Context </code></pre> </div> <p><strong>Token Refresh Flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. AuthClient decodes JWT access_token └─&gt; Reads expiry time (exp claim) └─&gt; Schedules refresh 5 minutes before expiration └─&gt; When time arrives: └─&gt; POST /api/auth/token/refresh └─&gt; Sends refresh_token └─&gt; Backend validates &amp; rotates tokens └─&gt; Returns new access_token + refresh_token └─&gt; Tokens updated silently (user stays logged in) </code></pre> </div> <p><strong>Key insight:</strong> No fixed intervals. The system reads your JWT's actual expiry and refreshes precisely when needed.</p> <h3> Backend Architecture (Flask) </h3> <p><strong>Component Hierarchy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ AuthSvc │ │ (Main entry point - one line setup) │ └──────────────┬──────────────────────────┘ │ ├─&gt; UserManager (user CRUD, validation) ├─&gt; TokenManager (JWT, refresh, blacklist) ├─&gt; AuthManager (login, signup, password) ├─&gt; OAuthManager (Google, Microsoft) └─&gt; RBACManager (roles, permissions) Each manager is independent and composable </code></pre> </div> <p><strong>Why this matters:</strong></p> <ul> <li>Want just OAuth? Import <code>OAuthManager</code> only</li> <li>Custom user logic? Extend <code>UserManager</code> </li> <li>Different database? Swap <code>UserRepository</code> </li> </ul> <p>All managers follow a single-responsibility design, making the codebase maintainable and extensible.</p> <h3> Token Storage Strategy </h3> <p><strong>Frontend Storage Decision Tree:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// On first login:</span> <span class="mi">1</span><span class="p">.</span> <span class="nx">Try</span> <span class="nx">to</span> <span class="kd">set</span> <span class="nx">a</span> <span class="nx">test</span> <span class="nx">cookie</span> <span class="mi">2</span><span class="p">.</span> <span class="nx">Try</span> <span class="nx">to</span> <span class="nx">read</span> <span class="nx">it</span> <span class="nx">back</span> <span class="mi">3</span><span class="p">.</span> <span class="nx">If</span> <span class="nx">successful</span> <span class="err">→</span> <span class="nx">use</span> <span class="nx">httpOnly</span> <span class="nf">cookies </span><span class="p">(</span><span class="nx">secure</span><span class="p">)</span> <span class="mi">4</span><span class="p">.</span> <span class="nx">If</span> <span class="nx">blocked</span> <span class="err">→</span> <span class="nx">use</span> <span class="nf">localStorage </span><span class="p">(</span><span class="nx">compatible</span><span class="p">)</span> <span class="mi">5</span><span class="p">.</span> <span class="nx">Remember</span> <span class="nx">choice</span> <span class="k">for</span> <span class="nx">session</span> </code></pre> </div> <p><strong>Backend Token Management:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Three-tier token system: </span><span class="mf">1.</span> <span class="n">Access</span> <span class="nc">Token </span><span class="p">(</span><span class="n">short</span><span class="o">-</span><span class="n">lived</span><span class="p">,</span> <span class="mi">15</span> <span class="nb">min</span><span class="p">)</span> <span class="err">└─</span><span class="o">&gt;</span> <span class="n">Used</span> <span class="k">for</span> <span class="n">API</span> <span class="n">requests</span> <span class="mf">2.</span> <span class="n">Refresh</span> <span class="nc">Token </span><span class="p">(</span><span class="nb">long</span><span class="o">-</span><span class="n">lived</span><span class="p">,</span> <span class="mi">30</span> <span class="n">days</span><span class="p">)</span> <span class="err">└─</span><span class="o">&gt;</span> <span class="n">Used</span> <span class="n">to</span> <span class="n">get</span> <span class="n">new</span> <span class="n">access</span> <span class="n">tokens</span> <span class="mf">3.</span> <span class="n">Token</span> <span class="nc">Blacklist </span><span class="p">(</span><span class="n">Redis</span><span class="o">/</span><span class="n">DB</span><span class="p">)</span> <span class="err">└─</span><span class="o">&gt;</span> <span class="n">Invalidated</span> <span class="n">tokens</span> <span class="n">on</span> <span class="n">logout</span> </code></pre> </div> <p>This prevents the common problem where users with cookie blockers can't use your app, while maintaining maximum security for those who allow cookies.</p> <h3> State Management (React) </h3> <p><strong>Context Architecture:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> // Top-level wrapper └─&gt; AuthContext // React Context ├─&gt; AuthClient // Core logic ├─&gt; TokenStorage // Storage abstraction └─&gt; State: ├─&gt; user (object | null) ├─&gt; isAuthenticated (boolean) ├─&gt; isLoading (boolean) └─&gt; error (object | null) </code></pre> </div> <p><strong>Why Context + Core Client?</strong></p> <ul> <li>Context handles React-specific state updates</li> <li>AuthClient handles framework-agnostic logic</li> <li>Easy to test each layer independently</li> <li>Can use AuthClient without React</li> </ul> <h3> Database Schema (Flask) </h3> <p><strong>Minimal required schema:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>users ├─ id (Primary Key) ├─ email (Unique, Indexed) ├─ password_hash ├─ email_confirmed (Boolean) ├─ mfa_enabled (Boolean) ├─ mfa_secret ├─ created_at └─ updated_at token_blacklist ├─ jti (JWT ID) └─ expires_at </code></pre> </div> <p><strong>Extensible:</strong> Add any fields you need. The library validates that required fields exist at startup.</p> <h3> Security Layers </h3> <p><strong>Defense in Depth:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Transport Layer └─&gt; HTTPS, Secure cookies, SameSite attribute 2. Storage Layer └─&gt; httpOnly cookies (XSS-proof) or encrypted localStorage 3. Token Layer └─&gt; JWT signing, expiry, rotation, blacklisting 4. Application Layer └─&gt; bcrypt hashing, rate limiting, input validation 5. Database Layer └─&gt; Parameterized queries (SQLAlchemy ORM) </code></pre> </div> <p>No single point of failure. Multiple security mechanisms protect your auth system.</p> <h3> Extensibility Philosophy </h3> <p>The architecture is designed around <strong>progressive enhancement</strong>:</p> <ol> <li> <strong>Start simple</strong> - Default configuration works out of the box</li> <li> <strong>Extend when needed</strong> - Add hooks, custom models, or swap components</li> <li> <strong>Never locked in</strong> - Standard REST APIs and JWT tokens mean you can migrate away anytime</li> </ol> <p>Every component has extension points: lifecycle hooks in the frontend, custom models in the backend, and swappable services (email, storage, database) throughout. The system uses composition over inheritance, making it easy to replace individual pieces without touching others.</p> <p>See the Extensibility section below for detailed code examples and configuration options.</p> <h2> 2-Minute Full Stack Setup <a id="2-minute-full-stack-setup"></a> </h2> <p>Let's see the full-stack approach in action.</p> <h3> Backend (10 lines = 20+ routes) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="n">flask_headless_auth</span> <span class="kn">import</span> <span class="n">AuthSvc</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-secret-key</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">JWT_SECRET_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">jwt-secret-key</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">SQLALCHEMY_DATABASE_URI</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">sqlite:///app.db</span><span class="sh">'</span> <span class="c1"># THIS IS THE MAGIC LINE 🪄 </span><span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">()</span> </code></pre> </div> <h3> Frontend (Complete auth in 3 lines) </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthProvider</span><span class="p">,</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@headlesskits/react-headless-auth</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// 1. Wrap your app</span> <span class="p">&lt;</span><span class="nc">AuthProvider</span> <span class="na">config</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:5000</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">App</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> <span class="c1">// 2. Use anywhere in your components</span> <span class="kd">function</span> <span class="nf">MyComponent</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">login</span><span class="p">,</span> <span class="nx">logout</span><span class="p">,</span> <span class="nx">isAuthenticated</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">isAuthenticated</span> <span class="p">?</span> <span class="p">(</span> <span class="p">&lt;&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Welcome <span class="si">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="si">}</span>!<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">logout</span><span class="si">}</span><span class="p">&gt;</span>Logout<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/&gt;</span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">login</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span>Login<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">)</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>That's it!</strong> Full authentication in less than 50 lines total.</p> <h2> ⚡ What You Get Instantly <a id="what-you-get-instantly"></a> </h2> <h3> Backend: 20+ Production-Ready Routes </h3> <p>One line of code (<code>auth = AuthSvc(app)</code>) gives you:</p> <p><strong>Core Authentication:</strong></p> <ul> <li>✅ <code>POST /api/auth/signup</code> - User registration with validation</li> <li>✅ <code>POST /api/auth/login</code> - JWT authentication</li> <li>✅ <code>POST /api/auth/logout</code> - Token blacklisting</li> <li>✅ <code>GET /api/auth/user/@me</code> - Get current user</li> <li>✅ <code>POST /api/auth/token/refresh</code> - Automatic token refresh</li> </ul> <p><strong>OAuth Providers:</strong></p> <ul> <li>✅ <code>GET /api/auth/login/google</code> - Google OAuth</li> <li>✅ <code>GET /api/auth/login/microsoft</code> - Microsoft OAuth</li> <li>✅ <code>GET /api/auth/callback/google</code> - OAuth callback handling</li> <li>✅ <code>GET /api/auth/callback/microsoft</code> - OAuth callback handling</li> </ul> <p><strong>Password Management:</strong></p> <ul> <li>✅ <code>POST /api/auth/password/update</code> - Change password</li> <li>✅ <code>POST /api/auth/request-password-reset</code> - Initiate reset flow</li> <li>✅ <code>POST /api/auth/reset-password/&lt;token&gt;</code> - Complete password reset</li> <li>✅ <code>POST /api/auth/validate-reset-token</code> - Verify reset token</li> </ul> <p><strong>Email &amp; Verification:</strong></p> <ul> <li>✅ <code>GET /api/auth/confirm/&lt;token&gt;</code> - Email verification</li> <li>✅ <code>POST /api/auth/resend-confirmation</code> - Resend verification email</li> </ul> <p><strong>Multi-Factor Authentication:</strong></p> <ul> <li>✅ <code>POST /api/auth/mfa/enable</code> - Enable 2FA</li> <li>✅ <code>POST /api/auth/mfa/verify</code> - Verify 2FA code</li> <li>✅ <code>POST /api/auth/mfa/disable</code> - Disable 2FA</li> </ul> <p><strong>User Management:</strong></p> <ul> <li>✅ <code>GET /api/auth/users</code> - List users (admin)</li> <li>✅ <code>DELETE /api/auth/user/&lt;id&gt;</code> - Delete user (admin)</li> <li>✅ <code>PUT /api/auth/user/&lt;id&gt;</code> - Update user</li> </ul> <p><a href="https://github.com/Dhruvagnihotri/react-headless-auth/blob/main/API_ROUTES.md" rel="noopener noreferrer">📖 See full API documentation</a></p> <h3> Frontend: Complete Auth State Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="p">{</span> <span class="c1">// User data</span> <span class="nx">user</span><span class="p">,</span> <span class="c1">// Current user object</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="c1">// Boolean auth state</span> <span class="nx">isLoading</span><span class="p">,</span> <span class="c1">// Loading state</span> <span class="c1">// Actions</span> <span class="nx">login</span><span class="p">,</span> <span class="c1">// (email, password) =&gt; Promise</span> <span class="nx">signup</span><span class="p">,</span> <span class="c1">// (email, password) =&gt; Promise</span> <span class="nx">logout</span><span class="p">,</span> <span class="c1">// () =&gt; Promise</span> <span class="nx">updatePassword</span><span class="p">,</span> <span class="c1">// (old, new) =&gt; Promise</span> <span class="c1">// Token management</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="c1">// Manual refresh (auto-handled)</span> <span class="c1">// Error handling</span> <span class="nx">error</span> <span class="c1">// Last error object</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> </code></pre> </div> <p><strong>Additional hooks:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Just the user data</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">useUser</span><span class="p">();</span> <span class="c1">// Just the session state</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">isLoading</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useSession</span><span class="p">();</span> </code></pre> </div> <h3> Security: Production-Ready, Zero Config </h3> <p>All of this comes built-in, no configuration needed:</p> <ul> <li>✅ <strong>httpOnly cookies</strong> - XSS-proof token storage</li> <li>✅ <strong>bcrypt hashing</strong> - Password hashing (cost factor 12)</li> <li>✅ <strong>JWT rotation</strong> - Automatic token refresh &amp; rotation</li> <li>✅ <strong>Token blacklisting</strong> - Invalidate tokens on logout</li> <li>✅ <strong>CSRF protection</strong> - SameSite cookies</li> <li>✅ <strong>Rate limiting</strong> - Prevent brute force attacks</li> <li>✅ <strong>Input validation</strong> - SQL injection &amp; XSS prevention</li> <li>✅ <strong>Secure password reset</strong> - Time-limited tokens</li> </ul> <p><strong>Secure by default. No security expertise required.</strong></p> <h2> 🏆 Innovation #1: Smart Cookie Fallback <a id="innovation-1-smart-cookie-fallback"></a> </h2> <p>Here's a feature I'm particularly proud of.</p> <h3> The Problem Other Libraries Have </h3> <p>Most auth libraries force you to choose:</p> <ul> <li> <strong>Cookies</strong> (most secure, httpOnly, XSS-proof) <strong>OR</strong> </li> <li> <strong>localStorage</strong> (works when cookies blocked, but vulnerable to XSS)</li> </ul> <p><strong>Result:</strong> 1-2% of users with strict privacy settings get "Please enable cookies" errors and can't use your app.</p> <h3> My Solution: Intelligent Fallback </h3> <p>HeadlessKit uses <strong>BOTH</strong> automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ User logs in │ └──────────────┬──────────────────────────┘ │ ▼ ┌──────────────────────┐ │ Test cookie support │ │ (automatic, silent) │ └──────────┬───────────┘ │ ┌───────┴────────┐ │ │ ✅ YES ❌ NO │ │ ▼ ▼ ┌──────────────┐ ┌────────────────┐ │ httpOnly │ │ localStorage │ │ Cookies │ │ Fallback │ │ │ │ │ │ 99% of users │ │ 1% of users │ │ XSS-proof ✅ │ │ Still works ⚠️ │ └──────────────┘ └────────────────┘ </code></pre> </div> <h3> The Result </h3> <ul> <li>✅ <strong>99% of users</strong> get maximum security (httpOnly cookies)</li> <li>✅ <strong>1% with blocked cookies</strong> still have a working app (localStorage)</li> <li>✅ <strong>Zero configuration</strong> needed</li> <li>✅ <strong>Automatic detection</strong> - happens silently on first login</li> <li>✅ <strong>No error screens</strong> - no "please enable cookies" messages</li> <li>✅ <strong>Graceful degradation</strong> - best security available for each user</li> </ul> <h3> Why This Matters </h3> <p>Most libraries either:</p> <ol> <li>Use cookies only (breaks for 1-2% of users with strict privacy settings)</li> <li>Use localStorage only (less secure for everyone)</li> <li>Make you choose (adds complexity)</li> </ol> <p><strong>This approach:</strong> Best security for each user, automatically.</p> <h2> 🧠 Innovation #2: JWT-Aware Token Refresh <a id="innovation-2-jwt-aware-token-refresh"></a> </h2> <p>Most libraries refresh tokens on a <strong>fixed interval</strong> (e.g., every 50 minutes). This is inefficient and can cause issues.</p> <h3> The Smart Approach </h3> <p>HeadlessKit decodes your JWT, reads the actual expiry time, and schedules refresh <strong>exactly when needed</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Inside AuthClient.ts</span> <span class="k">private</span> <span class="nf">scheduleTokenRefresh</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">decodeJWT</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">payload</span><span class="p">?.</span><span class="nx">exp</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// JWT has expiry - refresh 5 min before expiration</span> <span class="kd">const</span> <span class="nx">expiryTime</span> <span class="o">=</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">exp</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">refreshTime</span> <span class="o">=</span> <span class="nx">expiryTime</span> <span class="o">-</span> <span class="p">(</span><span class="mi">5</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">delay</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">max</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">refreshTime</span> <span class="o">-</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">());</span> <span class="k">this</span><span class="p">.</span><span class="nx">refreshTimeoutId</span> <span class="o">=</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">refreshToken</span><span class="p">();</span> <span class="p">},</span> <span class="nx">delay</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Benefits </h3> <ul> <li>✅ <strong>Precise timing</strong> - refreshes exactly when needed</li> <li>✅ <strong>No wasted requests</strong> - doesn't refresh too early</li> <li>✅ <strong>Seamless UX</strong> - users stay logged in without interruption</li> <li>✅ <strong>Respects your backend</strong> - uses the expiry time YOU set</li> <li>✅ <strong>Works with any JWT</strong> - reads standard <code>exp</code> claim</li> </ul> <h2> 📊 The Comparison <a id="the-comparison"></a> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>HeadlessKit</th> <th>NextAuth</th> <th>Clerk</th> <th>Auth0</th> <th>Supabase</th> </tr> </thead> <tbody> <tr> <td><strong>Setup Time</strong></td> <td>⚡ <strong>2 minutes</strong> </td> <td>30 min</td> <td>15 min</td> <td>20 min</td> <td>15 min</td> </tr> <tr> <td><strong>Monthly Cost</strong></td> <td>✅ <strong>$0</strong> </td> <td>Free</td> <td><strong>$25-325+</strong></td> <td><strong>$240+</strong></td> <td>Free tier limited</td> </tr> <tr> <td><strong>Annual Cost</strong></td> <td>✅ <strong>$0</strong> </td> <td>Free</td> <td><strong>$300-3,900+</strong></td> <td><strong>$2,880+</strong></td> <td>Scales with usage</td> </tr> <tr> <td><strong>Smart Cookie Fallback</strong></td> <td>✅ <strong>Yes</strong> </td> <td>❌</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Works Independently</strong></td> <td>✅ <strong>Mix &amp; Match</strong> </td> <td>⚠️ Backend DIY</td> <td>❌</td> <td>❌</td> <td>⚠️ Complex</td> </tr> <tr> <td><strong>One-Line Backend</strong></td> <td>✅ <strong>AuthSvc(app)</strong> </td> <td>❌ DIY</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td><strong>Custom User Models</strong></td> <td>✅ <strong>With validation</strong> </td> <td>✅</td> <td>❌</td> <td>❌</td> <td>⚠️ Limited</td> </tr> <tr> <td><strong>Self-Hosted</strong></td> <td>✅ <strong>Full control</strong> </td> <td>✅</td> <td>❌</td> <td>❌</td> <td>⚠️ Complex</td> </tr> <tr> <td><strong>Bundle Size</strong></td> <td>✅ <strong>15KB</strong> </td> <td>❌ Heavy</td> <td>✅ Small</td> <td>✅ Small</td> <td>⚠️ Medium</td> </tr> <tr> <td><strong>JWT-Aware Refresh</strong></td> <td>✅ <strong>Smart</strong> </td> <td>⚠️ Manual</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td><strong>Vendor Lock-in</strong></td> <td>✅ <strong>None</strong> </td> <td>✅ None</td> <td>❌ High</td> <td>❌ High</td> <td>⚠️ Medium</td> </tr> <tr> <td><strong>OAuth Providers</strong></td> <td>✅ Google, MS</td> <td>✅ Many</td> <td>✅ Many</td> <td>✅ Many</td> <td>✅ Many</td> </tr> <tr> <td><strong>MFA/2FA</strong></td> <td>✅ Built-in</td> <td>⚠️ Manual</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td><strong>Email Verification</strong></td> <td>✅ Built-in</td> <td>⚠️ Manual</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td><strong>RBAC</strong></td> <td>✅ Built-in</td> <td>⚠️ Manual</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> </tbody> </table></div> <h2> 💼 How I'm Using This in Production <a id="how-im-using-this-in-production"></a> </h2> <p>I built this library because I needed it for my own projects. Here's how I'm using it:</p> <h3> PDFCourt.com - Legal Document Processing </h3> <ul> <li> <strong>Custom user model</strong> with subscription tiers</li> <li> <strong>Quota tracking</strong> per user</li> <li> <strong>Self-hosted</strong> for data compliance </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Model</span><span class="p">,</span> <span class="n">UserMixin</span><span class="p">):</span> <span class="n">subscription_tier</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="nc">String</span><span class="p">(</span><span class="mi">50</span><span class="p">),</span> <span class="n">default</span><span class="o">=</span><span class="sh">'</span><span class="s">free</span><span class="sh">'</span><span class="p">)</span> <span class="n">documents_processed</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span> <span class="n">monthly_limit</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">user_model</span><span class="o">=</span><span class="n">User</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/auth/check-quota</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@jwt_required</span><span class="p">()</span> <span class="k">def</span> <span class="nf">check_quota</span><span class="p">():</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nf">get_jwt_identity</span><span class="p">())</span> <span class="n">remaining</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="n">monthly_limit</span> <span class="o">-</span> <span class="n">user</span><span class="p">.</span><span class="n">documents_processed</span> <span class="k">return</span> <span class="p">{</span><span class="sh">'</span><span class="s">remaining</span><span class="sh">'</span><span class="p">:</span> <span class="n">remaining</span><span class="p">,</span> <span class="sh">'</span><span class="s">can_process</span><span class="sh">'</span><span class="p">:</span> <span class="n">remaining</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">}</span> </code></pre> </div> <h3> ShuffleTurn.com - Gaming Platform </h3> <ul> <li> <strong>OAuth integration</strong> (Google, Microsoft)</li> <li> <strong>Analytics integration</strong> via lifecycle hooks</li> <li> <strong>Custom user fields</strong> for gaming stats </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">AuthProvider</span> <span class="na">config</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.shuffleturn.com</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span> <span class="na">hooks</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">afterLogin</span><span class="p">:</span> <span class="p">({</span> <span class="nx">user</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">posthog</span><span class="p">.</span><span class="nf">identify</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">level</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">level</span> <span class="p">});</span> <span class="p">},</span> <span class="na">transformUser</span><span class="p">:</span> <span class="p">({</span> <span class="nx">user</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="na">rankTitle</span><span class="p">:</span> <span class="nf">getRankTitle</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">level</span><span class="p">),</span> <span class="na">isPro</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">level</span> <span class="o">&gt;=</span> <span class="mi">50</span> <span class="p">})</span> <span class="p">}</span><span class="si">}</span> <span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">App</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> </code></pre> </div> <p><strong>Why I'm confident sharing this:</strong> I'm using this exact code in production. If it works for my projects, it can work for yours.</p> <h2> 🎨 When You Need More: Extensibility <a id="when-you-need-more-extensibility"></a> </h2> <p>Start simple. Extend when needed. Here's how:</p> <h3> 1. Lifecycle Hooks (Frontend) </h3> <p>Inject custom logic at <strong>any point</strong> in the auth flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">AuthProvider</span> <span class="na">config</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:5000</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span> <span class="na">hooks</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="c1">// After successful login</span> <span class="na">afterLogin</span><span class="p">:</span> <span class="p">({</span> <span class="nx">user</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">analytics</span><span class="p">.</span><span class="nf">identify</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="nx">posthog</span><span class="p">.</span><span class="nf">track</span><span class="p">(</span><span class="dl">'</span><span class="s1">User Logged In</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="c1">// On login error</span> <span class="na">onLoginError</span><span class="p">:</span> <span class="p">({</span> <span class="nx">error</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">captureException</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="nx">toast</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="p">},</span> <span class="c1">// After successful signup</span> <span class="na">afterSignup</span><span class="p">:</span> <span class="p">({</span> <span class="nx">user</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">analytics</span><span class="p">.</span><span class="nf">track</span><span class="p">(</span><span class="dl">'</span><span class="s1">User Signed Up</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Trigger onboarding flow</span> <span class="p">},</span> <span class="c1">// Transform user data</span> <span class="na">transformUser</span><span class="p">:</span> <span class="p">({</span> <span class="nx">user</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="na">fullName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">first_name</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">last_name</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">isAdmin</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">roles</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="p">}),</span> <span class="c1">// After token refresh</span> <span class="na">afterTokenRefresh</span><span class="p">:</span> <span class="p">({</span> <span class="nx">access_token</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token refreshed silently</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="c1">// After logout</span> <span class="na">afterLogout</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">analytics</span><span class="p">.</span><span class="nf">reset</span><span class="p">();</span> <span class="c1">// Clear app state</span> <span class="p">},</span> <span class="c1">// Global auth error handler</span> <span class="na">onAuthError</span><span class="p">:</span> <span class="p">({</span> <span class="nx">error</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">401</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Redirect to login</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span><span class="si">}</span> <span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">App</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> </code></pre> </div> <p><strong>Available hooks:</strong></p> <ul> <li> <code>afterLogin</code> - Post-login logic</li> <li> <code>afterSignup</code> - Post-signup logic</li> <li> <code>afterLogout</code> - Post-logout cleanup</li> <li> <code>onLoginError</code> - Login error handling</li> <li> <code>onSignupError</code> - Signup error handling</li> <li> <code>afterTokenRefresh</code> - Token refresh callback</li> <li> <code>transformUser</code> - Transform user data</li> <li> <code>onAuthError</code> - Global error handler</li> </ul> <p><strong>Perfect for:</strong></p> <ul> <li>Analytics (PostHog, Mixpanel, Amplitude)</li> <li>Error tracking (Sentry, LogRocket)</li> <li>Onboarding flows</li> <li>Data transformation</li> <li>Custom redirects</li> </ul> <h3> 2. Custom User Models (Backend) </h3> <p>Add <strong>any fields</strong> you need to the user model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_headless_auth</span> <span class="kn">import</span> <span class="n">AuthSvc</span><span class="p">,</span> <span class="n">UserMixin</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Model</span><span class="p">,</span> <span class="n">UserMixin</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">'</span><span class="s">users</span><span class="sh">'</span> <span class="c1"># Add ANY custom fields </span> <span class="n">company</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="nc">String</span><span class="p">(</span><span class="mi">200</span><span class="p">))</span> <span class="n">subscription_tier</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="nc">String</span><span class="p">(</span><span class="mi">50</span><span class="p">),</span> <span class="n">default</span><span class="o">=</span><span class="sh">'</span><span class="s">free</span><span class="sh">'</span><span class="p">)</span> <span class="n">monthly_quota</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="mi">100</span><span class="p">)</span> <span class="n">username</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="nc">String</span><span class="p">(</span><span class="mi">50</span><span class="p">),</span> <span class="n">unique</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">level</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">avatar_url</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="nc">String</span><span class="p">(</span><span class="mi">500</span><span class="p">))</span> <span class="n">bio</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Text</span><span class="p">)</span> <span class="n">preferences</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nc">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">JSON</span><span class="p">)</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">user_model</span><span class="o">=</span><span class="n">User</span><span class="p">)</span> </code></pre> </div> <p><strong>Bonus: Model Validation</strong></p> <p>We validate your model at startup. Missing required fields? You get a <strong>clear error</strong> with the exact fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>❌ USER MODEL VALIDATION FAILED Missing required field: mfa_enabled Type: Boolean Default: False SQL Fix: ALTER TABLE users ADD COLUMN mfa_enabled BOOLEAN DEFAULT FALSE; </code></pre> </div> <p><strong>No cryptic runtime errors in production!</strong></p> <h3> 3. Custom JWT Claims </h3> <p>Add custom data to JWT tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@auth.additional_claims_loader</span> <span class="k">def</span> <span class="nf">add_claims_to_jwt</span><span class="p">(</span><span class="n">identity</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">identity</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">role</span><span class="p">,</span> <span class="sh">'</span><span class="s">subscription</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">subscription_tier</span><span class="p">,</span> <span class="sh">'</span><span class="s">company_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">company_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">permissions</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="nf">get_permissions</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p>Access in protected routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_jwt_extended</span> <span class="kn">import</span> <span class="n">get_jwt</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/admin/users</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@jwt_required</span><span class="p">()</span> <span class="k">def</span> <span class="nf">admin_users</span><span class="p">():</span> <span class="n">claims</span> <span class="o">=</span> <span class="nf">get_jwt</span><span class="p">()</span> <span class="k">if</span> <span class="n">claims</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="p">)</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">admin</span><span class="sh">'</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Unauthorized</span><span class="sh">'</span><span class="p">},</span> <span class="mi">403</span> <span class="c1"># Admin logic here </span></code></pre> </div> <h3> 4. Custom Routes &amp; Endpoints </h3> <p>Add your own protected endpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_jwt_extended</span> <span class="kn">import</span> <span class="n">jwt_required</span><span class="p">,</span> <span class="n">get_jwt_identity</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/auth/check-quota</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@jwt_required</span><span class="p">()</span> <span class="k">def</span> <span class="nf">check_quota</span><span class="p">():</span> <span class="n">user_id</span> <span class="o">=</span> <span class="nf">get_jwt_identity</span><span class="p">()</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">if</span> <span class="n">user</span><span class="p">.</span><span class="n">subscription_tier</span> <span class="o">==</span> <span class="sh">'</span><span class="s">free</span><span class="sh">'</span> <span class="ow">and</span> <span class="n">user</span><span class="p">.</span><span class="n">usage</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Upgrade required</span><span class="sh">'</span><span class="p">},</span> <span class="mi">403</span> <span class="k">return</span> <span class="p">{</span><span class="sh">'</span><span class="s">remaining</span><span class="sh">'</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">monthly_quota</span> <span class="o">-</span> <span class="n">user</span><span class="p">.</span><span class="n">usage</span><span class="p">}</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/auth/upgrade</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@jwt_required</span><span class="p">()</span> <span class="k">def</span> <span class="nf">upgrade_subscription</span><span class="p">():</span> <span class="n">user_id</span> <span class="o">=</span> <span class="nf">get_jwt_identity</span><span class="p">()</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="n">user</span><span class="p">.</span><span class="n">subscription_tier</span> <span class="o">=</span> <span class="sh">'</span><span class="s">pro</span><span class="sh">'</span> <span class="n">user</span><span class="p">.</span><span class="n">monthly_quota</span> <span class="o">=</span> <span class="mi">1000</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Upgraded successfully</span><span class="sh">'</span><span class="p">}</span> </code></pre> </div> <h3> 5. Framework-Agnostic Core (No React Required) </h3> <p>Use the core <code>AuthClient</code> with <strong>any framework</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthClient</span><span class="p">,</span> <span class="nx">TokenStorage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@headlesskits/react-headless-auth/core</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Initialize</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenStorage</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-first</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AuthClient</span><span class="p">(</span> <span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.example.com</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">storage</span> <span class="p">);</span> <span class="c1">// Use anywhere</span> <span class="k">await</span> <span class="nx">authClient</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">authClient</span><span class="p">.</span><span class="nf">getUser</span><span class="p">();</span> <span class="k">await</span> <span class="nx">authClient</span><span class="p">.</span><span class="nf">logout</span><span class="p">();</span> </code></pre> </div> <p><strong>Works in:</strong></p> <ul> <li>✅ Vue 3, Svelte, Angular, Solid.js</li> <li>✅ React Native (with AsyncStorage adapter)</li> <li>✅ Electron (with secure storage)</li> <li>✅ Vanilla JavaScript</li> <li>✅ Node.js (server-side)</li> </ul> <p><strong>Example: Vue 3 Composition API</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ref</span><span class="p">,</span> <span class="nx">onMounted</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthClient</span><span class="p">,</span> <span class="nx">TokenStorage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@headlesskits/react-headless-auth/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">useAuth</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isAuthenticated</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">storage</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenStorage</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-first</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AuthClient</span><span class="p">({</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">...</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">storage</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">login</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">authClient</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="nx">user</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="nx">isAuthenticated</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">};</span> <span class="nf">onMounted</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">user</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">authClient</span><span class="p">.</span><span class="nf">getUser</span><span class="p">();</span> <span class="nx">isAuthenticated</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">login</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> 6. Email Service Configuration </h3> <p>Built-in support for <strong>Gmail</strong> and <strong>Brevo</strong> (SendInBlue):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Gmail </span><span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">EMAIL_SERVICE</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">gmail</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">GMAIL_ADDRESS</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-email@gmail.com</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">GMAIL_APP_PASSWORD</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-app-password</span><span class="sh">'</span> <span class="c1"># OR Brevo </span><span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">EMAIL_SERVICE</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">brevo</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">BREVO_API_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-api-key</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">BREVO_SENDER_EMAIL</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">noreply@yourdomain.com</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">BREVO_SENDER_NAME</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">Your App</span><span class="sh">'</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> </code></pre> </div> <p><strong>Or bring your own email service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_headless_auth.interfaces</span> <span class="kn">import</span> <span class="n">EmailServiceInterface</span> <span class="k">class</span> <span class="nc">CustomEmailService</span><span class="p">(</span><span class="n">EmailServiceInterface</span><span class="p">):</span> <span class="k">def</span> <span class="nf">send_email</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">to</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">subject</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="c1"># Your email logic here </span> <span class="k">pass</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">email_service</span><span class="o">=</span><span class="nc">CustomEmailService</span><span class="p">())</span> </code></pre> </div> <h3> 7. OAuth Provider Configuration </h3> <p>Add Google and Microsoft OAuth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Google OAuth </span><span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">GOOGLE_CLIENT_ID</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-google-client-id</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">GOOGLE_CLIENT_SECRET</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-google-client-secret</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">GOOGLE_REDIRECT_URI</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">http://localhost:5000/api/auth/callback/google</span><span class="sh">'</span> <span class="c1"># Microsoft OAuth </span><span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">MICROSOFT_CLIENT_ID</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-microsoft-client-id</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">MICROSOFT_CLIENT_SECRET</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-microsoft-client-secret</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">MICROSOFT_REDIRECT_URI</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">http://localhost:5000/api/auth/callback/microsoft</span><span class="sh">'</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> </code></pre> </div> <p><strong>Frontend usage:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">function</span> <span class="nf">LoginPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">handleGoogleLogin</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">http://localhost:5000/api/auth/login/google</span><span class="dl">'</span><span class="p">;</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">handleGoogleLogin</span><span class="si">}</span><span class="p">&gt;</span> Sign in with Google <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 🔒 Security Deep Dive <a id="security-deep-dive"></a> </h2> <h3> What's Included Out of the Box </h3> <p><strong>Password Security:</strong></p> <ul> <li>bcrypt hashing with cost factor 12</li> <li>Minimum password requirements (8+ chars, uppercase, lowercase, number)</li> <li>Password strength validation</li> <li>Secure password reset with time-limited tokens</li> </ul> <p><strong>Token Security:</strong></p> <ul> <li>JWT with RS256 or HS256 signing</li> <li>Automatic token rotation</li> <li>Token blacklisting on logout</li> <li>Refresh token rotation</li> <li>httpOnly cookies (XSS-proof)</li> <li>SameSite cookie attribute (CSRF protection)</li> </ul> <p><strong>API Security:</strong></p> <ul> <li>Rate limiting on auth endpoints (10 requests/minute)</li> <li>Input validation and sanitization</li> <li>SQL injection prevention (SQLAlchemy ORM)</li> <li>CORS configuration support</li> <li>Request size limits</li> </ul> <p><strong>Session Security:</strong></p> <ul> <li>Automatic session timeout</li> <li>Concurrent session management</li> <li>Device tracking (optional)</li> <li>IP-based validation (optional)</li> </ul> <h3> Security Best Practices </h3> <p>The library follows OWASP guidelines:</p> <ul> <li>✅ <strong>A01: Broken Access Control</strong> - JWT-based auth with role validation</li> <li>✅ <strong>A02: Cryptographic Failures</strong> - bcrypt, secure token generation</li> <li>✅ <strong>A03: Injection</strong> - Parameterized queries, input validation</li> <li>✅ <strong>A04: Insecure Design</strong> - Secure by default configuration</li> <li>✅ <strong>A05: Security Misconfiguration</strong> - Sensible defaults</li> <li>✅ <strong>A07: Identification and Authentication Failures</strong> - MFA support, secure password reset</li> </ul> <h2> 🚀 Get Started in 2 Minutes <a id="get-started-in-2-minutes"></a> </h2> <h3> Option 1: Full Stack (React + Flask) </h3> <p><strong>Step 1: Install packages</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Backend</span> pip <span class="nb">install </span>flask-headless-auth <span class="c"># Frontend</span> npm <span class="nb">install</span> @headlesskits/react-headless-auth </code></pre> </div> <p><strong>Step 2: Backend setup</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="n">flask_headless_auth</span> <span class="kn">import</span> <span class="n">AuthSvc</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">SECRET_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">your-secret-key</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">JWT_SECRET_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">jwt-secret-key</span><span class="sh">'</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">SQLALCHEMY_DATABASE_URI</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="sh">'</span><span class="s">sqlite:///app.db</span><span class="sh">'</span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">()</span> </code></pre> </div> <p><strong>Step 3: Frontend setup</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthProvider</span><span class="p">,</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@headlesskits/react-headless-auth</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">AuthProvider</span> <span class="na">config</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:5000</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">YourApp</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Done!</strong> You have full authentication.</p> <h3> Option 2: Backend Only </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>flask-headless-auth </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="n">flask_headless_auth</span> <span class="kn">import</span> <span class="n">AuthSvc</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># ... config ... </span> <span class="n">auth</span> <span class="o">=</span> <span class="nc">AuthSvc</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="c1"># 20+ REST endpoints ready </span></code></pre> </div> <p>Point your frontend (Vue, Angular, mobile app) to the API endpoints.</p> <h3> Option 3: Frontend Only </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @headlesskits/react-headless-auth </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">AuthProvider</span> <span class="na">config</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-backend.com</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">App</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">AuthProvider</span><span class="p">&gt;</span> </code></pre> </div> <p>Implement 5 endpoints on your backend (Express, Django, etc.).</p> <h2> 📚 Documentation &amp; Resources </h2> <ul> <li>🏠 <a href="https://github.com/Dhruvagnihotri/headlesskits" rel="noopener noreferrer">HeadlessKit Hub</a> - <strong>Start here!</strong> All packages in one place</li> <li>🌟 <a href="https://github.com/Dhruvagnihotri/react-headless-auth" rel="noopener noreferrer">React Package (GitHub)</a> </li> <li>🐍 <a href="https://github.com/Dhruvagnihotri/flask-headless-auth" rel="noopener noreferrer">Flask Package (GitHub)</a> </li> <li>📦 <a href="https://www.npmjs.com/package/@headlesskits/react-headless-auth" rel="noopener noreferrer">React (NPM)</a> </li> <li>🐍 <a href="https://pypi.org/project/flask-headless-auth/" rel="noopener noreferrer">Flask (PyPI)</a> </li> <li>💬 <a href="https://github.com/Dhruvagnihotri/react-headless-auth/discussions" rel="noopener noreferrer">Discussions</a> </li> <li>🐛 <a href="https://github.com/Dhruvagnihotri/react-headless-auth/issues" rel="noopener noreferrer">Report Issues</a> </li> <li>📧 <a href="mailto:dagni@umich.edu">Email Me</a> </li> </ul> <h2> 🗺️ Roadmap <a id="roadmap"></a> </h2> <p><strong>Coming soon:</strong></p> <ul> <li>Vue.js &amp; Svelte SDKs</li> <li>Magic links (passwordless auth)</li> <li>WebAuthn/Passkeys support</li> <li>Express.js &amp; FastAPI backends</li> <li>React Native &amp; Flutter SDKs</li> <li>GitHub &amp; Apple OAuth</li> <li>Admin dashboard UI</li> </ul> <p><strong>Want to contribute?</strong> Check out <a href="https://github.com/Dhruvagnihotri/react-headless-auth/blob/main/CONTRIBUTING.md" rel="noopener noreferrer">CONTRIBUTING.md</a></p> <h2> 🌟 Join the Community </h2> <p><strong>If this helps you, please:</strong></p> <ul> <li>⭐ Star the repos on GitHub</li> <li>🐛 <a href="https://github.com/Dhruvagnihotri/react-headless-auth/issues" rel="noopener noreferrer">Report issues</a> or suggest features</li> <li>💬 Join <a href="https://github.com/Dhruvagnihotri/react-headless-auth/discussions" rel="noopener noreferrer">Discussions</a> </li> <li>🔄 Share on <a href="https://twitter.com/intent/tweet?text=Check%20out%20HeadlessKit%20Auth%20-%20production-ready%20authentication%20in%202%20minutes!%20Free%20Auth0%2FClerk%20alternative.%20https%3A%2F%2Fgithub.com%2FDhruvagnihotri%2Freact-headless-auth" rel="noopener noreferrer">Twitter/X</a>, <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://github.com/Dhruvagnihotri/react-headless-auth" rel="noopener noreferrer">LinkedIn</a>, or <a href="https://www.reddit.com/submit?url=https://github.com/Dhruvagnihotri/react-headless-auth&amp;title=I%20Built%20a%20Free%20Auth0%20Alternative" rel="noopener noreferrer">Reddit</a> </li> </ul> <p> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/Dhruvagnihotri" rel="noopener noreferrer"> Dhruvagnihotri </a> / <a href="https://github.com/Dhruvagnihotri/react-headless-auth" rel="noopener noreferrer"> react-headless-auth </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">@headlesskits/react-headless-auth</h1> </div> <p><a href="https://www.npmjs.com/package/@headlesskits/react-headless-auth" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/e4e3d8953ac737553ac42ce397bea6e821114d5cac4a1333d9cf514a7cf20a8f/68747470733a2f2f696d672e736869656c64732e696f2f6e706d2f762f40686561646c6573736b6974732f72656163742d686561646c6573732d617574682e737667" alt="npm version"></a> <a href="https://www.npmjs.com/package/@headlesskits/react-headless-auth" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/d0e065eaeae53750a2a8d3a7c601f0111535cb5422ab060fc98c1d4b8d2c8fd6/68747470733a2f2f696d672e736869656c64732e696f2f6e706d2f646d2f40686561646c6573736b6974732f72656163742d686561646c6573732d617574682e737667" alt="npm downloads"></a> <a href="https://opensource.org/licenses/MIT" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/fdf2982b9f5d7489dcf44570e714e3a15fce6253e0cc6b5aa61a075aac2ff71b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d79656c6c6f772e737667" alt="License: MIT"></a> <a href="https://www.typescriptlang.org/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/790b7c93541091adba6edfeea1ff76cec5424a36ecc05f0ccf1e2ceb1cbc2c18/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f547970655363726970742d3130302532352d626c75652e737667" alt="TypeScript"></a> <a href="https://bundlephobia.com/package/@headlesskits/react-headless-auth" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/e045a0c3048bf8853961fbbb34aa83f4ace61cc95b3769351784309fb1e2eeb9/68747470733a2f2f696d672e736869656c64732e696f2f62756e646c6570686f6269612f6d696e7a69702f40686561646c6573736b6974732f72656163742d686561646c6573732d61757468" alt="Bundle Size"></a></p> <blockquote> <p><strong>🚀 Production-ready React authentication in 2 minutes.</strong> Smart cookie fallback, automatic token refresh, zero dependencies. The simplest way to add enterprise-grade auth to your React app.</p> </blockquote> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>npm install @headlesskits/react-headless-auth</pre> </div> <div class="markdown-heading"> <h2 class="heading-element">💡 Why Choose This?</h2> </div> <p><strong>The Problem:</strong> Authentication is hard. Auth0 costs $300/month. Building it yourself takes weeks. Most libraries force you to choose between security (cookies) OR compatibility (localStorage).</p> <p><strong>Our Solution:</strong> Best of both worlds. Maximum security for 99% of users (httpOnly cookies), automatic fallback for the 1% with blocked cookies (localStorage). Plus a complete backend SDK so you don't spend weeks building auth routes.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>react-headless-auth</th> <th>NextAuth</th> <th>Clerk</th> <th>Auth0</th> <th>Supabase Auth</th> </tr> </thead> <tbody> <tr> <td><strong>Setup Time</strong></td> <td>⚡ <strong>2 minutes</strong> </td> <td>30 min</td> <td>15 min</td> <td>20 min</td> <td>15 min</td> </tr> <tr> <td><strong>Monthly Cost</strong></td> <td>✅ <strong>$0</strong> </td> <td>Free</td> <td><strong>$300</strong></td> <td><strong>$240</strong></td> <td>Free tier limited</td> </tr> <tr> <td><strong>Smart Cookie Fallback</strong></td> <td>✅ <strong>Industry First</strong> </td> <td>❌</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Zero Dependencies</strong></td> <td>✅ (~15KB)</td> <td>❌ (heavy)</td> <td>✅</td> <td>✅</td> <td> ⚠️ (medium)</td> </tr> <tr> <td><strong>Backend Included</strong></td> <td>✅ <strong>flask-headless-auth</strong> </td> <td> ⚠️ </td> </tr> </tbody> </table></div>…</div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/Dhruvagnihotri/react-headless-auth" rel="noopener noreferrer">View on GitHub</a></div> </div> <br> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/Dhruvagnihotri" rel="noopener noreferrer"> Dhruvagnihotri </a> / <a href="https://github.com/Dhruvagnihotri/flask-headless-auth" rel="noopener noreferrer"> flask-headless-auth </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Flask-Headless-Auth</h1> </div> <p><a href="https://pypi.org/project/flask-headless-auth/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/63dc7eaac9ba1c2cd738bcff8757ea1592465f601d78747b494406383eb76645/68747470733a2f2f62616467652e667572792e696f2f70792f666c61736b2d686561646c6573732d617574682e737667" alt="PyPI version"></a> <a href="https://www.python.org/downloads/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/bd7bcdc70784bad7073b66850c51f4fed5dc3b2fc782277551b9013c7d27f043/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f707974686f6e2d332e382b2d626c75652e737667" alt="Python 3.8+"></a> <a href="https://pepy.tech/project/flask-headless-auth" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/ae30a54ff9615d9000cbb9f2d54ad0dc4b35384dfccfde3cba85782fc1888008/68747470733a2f2f706570792e746563682f62616467652f666c61736b2d686561646c6573732d61757468" alt="Downloads"></a> <a href="https://opensource.org/licenses/MIT" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/fdf2982b9f5d7489dcf44570e714e3a15fce6253e0cc6b5aa61a075aac2ff71b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d79656c6c6f772e737667" alt="License: MIT"></a> <a href="https://github.com/psf/black" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/7019b88be88468d6b83fcbf59d2c06bfa4992bafa7d129f9b89ab29f8c7c1acb/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f636f64652532307374796c652d626c61636b2d3030303030302e737667" alt="Code style: black"></a></p> <blockquote> <p><strong>🔐 Production-ready Flask authentication in one line.</strong> Get 20+ auth routes instantly. JWT, OAuth, MFA, RBAC built-in. Works with React, Next.js, Vue, any frontend. The free, self-hosted alternative to Auth0/Clerk ($3,600/year saved).</p> </blockquote> <div class="markdown-heading"> <h2 class="heading-element">💡 What You Get</h2> </div> <p>In <strong>one line of code</strong> (<code>AuthSvc(app)</code>), you get a complete authentication system that would take weeks to build:</p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto js-code-highlight"> <pre><span class="pl-s1">auth</span> <span class="pl-c1">=</span> <span class="pl-en">AuthSvc</span>(<span class="pl-s1">app</span>) <span class="pl-c"># That's it! 🎉</span></pre> </div> <p><strong>Instantly Available:</strong></p> <ul> <li>✅ <strong>20+ Production Routes</strong> - Login, signup, OAuth, password reset, MFA, profile management</li> <li>✅ <strong>JWT + httpOnly Cookies</strong> - Maximum security with automatic fallback</li> <li>✅ <strong>OAuth Ready</strong> - Google &amp; Microsoft sign-in (GitHub, Apple coming soon)</li> <li>✅ <strong>MFA/2FA</strong> - Multi-factor authentication built-in</li> <li>✅ <strong>RBAC</strong> - Role-based access control</li> <li>✅ <strong>Email Services</strong> - Verification &amp; password reset emails</li> <li>✅ <strong>Rate Limiting</strong> - Brute force protection</li> <li>✅ <strong>Token Blacklisting</strong> - Secure logout</li> <li>✅ <strong>Security Headers</strong> - CSRF, XSS, CORS protection</li> <li>✅ <strong>Custom User</strong>…</li> </ul> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/Dhruvagnihotri/flask-headless-auth" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Your support helps other developers discover this project!</p> <h2> 🎯 Final Thoughts </h2> <p>Authentication doesn't have to be hard, expensive, or lock you into a vendor. With HeadlessKit, you get:</p> <ul> <li>✅ Production-ready auth in <strong>2 minutes</strong> </li> <li>✅ <strong>Smart cookie fallback</strong> for maximum compatibility</li> <li>✅ <strong>20+ routes</strong> from one line of code</li> <li>✅ <strong>Complete control</strong> over your data</li> <li>✅ <strong>Zero recurring costs</strong> </li> </ul> <p><strong>Built by an indie dev for indie devs.</strong> No venture capital. No pricing tiers. No vendor lock-in. Just great open-source software.</p> <p><strong>Questions? Comments? Want to contribute?</strong><br><br> Drop a comment below or reach out on <a href="https://github.com/Dhruvagnihotri/react-headless-auth" rel="noopener noreferrer">GitHub</a>!</p> <p><strong>Tags:</strong> #react #authentication #opensource #flask #jwt #oauth #webdev #javascript #python #nextjs #security #selfhosted #indiedev #auth0alternative #clerkalt</p> opensource authentication react python