The latest articles on DEV Community by Levani Gventsadze (@xokaido). https://dev.to/xokaido https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3993811%2F0fbb46f8-387e-4cf6-980c-ce772c855b22.jpg https://dev.to/xokaido en Levani Gventsadze Sat, 20 Jun 2026 08:55:19 +0000 https://dev.to/xokaido/i-built-a-cloudflare-workers-saas-starter-auth-d1-rate-limiting-no-auth0-4ope https://dev.to/xokaido/i-built-a-cloudflare-workers-saas-starter-auth-d1-rate-limiting-no-auth0-4ope <p>Every time I start a project on Cloudflare Workers I end up rebuilding the same plumbing: sessions, a D1-backed API, rate limiting. So I packaged it into a small starter called EdgeKit (Hono + D1 + KV). Sharing the approach here in case it's useful.</p> <h2> Auth without an external bill </h2> <p>No Auth0, no per-MAU pricing — just PBKDF2 via Web Crypto (runs natively on Workers) plus sessions in KV:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">16</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">importKey</span><span class="p">(</span><span class="dl">"</span><span class="s2">raw</span><span class="dl">"</span><span class="p">,</span> <span class="nf">enc</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="dl">"</span><span class="s2">PBKDF2</span><span class="dl">"</span><span class="p">,</span> <span class="kc">false</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">deriveBits</span><span class="dl">"</span><span class="p">]);</span> <span class="kd">const</span> <span class="nx">bits</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">deriveBits</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PBKDF2</span><span class="dl">"</span><span class="p">,</span> <span class="nx">salt</span><span class="p">,</span> <span class="na">iterations</span><span class="p">:</span> <span class="mi">100</span><span class="nx">_000</span><span class="p">,</span> <span class="na">hash</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SHA-256</span><span class="dl">"</span> <span class="p">},</span> <span class="nx">key</span><span class="p">,</span> <span class="mi">256</span><span class="p">,</span> <span class="p">);</span> <span class="c1">// store `pbkdf2$iters$salt$hash`; verify with a constant-time compare</span> </code></pre> </div> <p>The session token lives in an HttpOnly cookie and maps to a user id in KV with a TTL. Logout just deletes the KV key.</p> <h2> What's in it </h2> <ul> <li>Session auth (KV) + a tenant-scoped D1 CRUD API with migrations</li> <li>A KV fixed-window rate limiter guarding the auth routes</li> <li>Typed, tested, one-command <code>wrangler deploy</code> </li> </ul> <p>Live demo (a real Worker you can hit): <a href="https://edgekit-storefront.xok.workers.dev" rel="noopener noreferrer">https://edgekit-storefront.xok.workers.dev</a></p> <p>Happy to answer anything about the D1 schema or the rate-limiter design in the comments.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> </code></pre> </div> cloudflare webdev typescript saas