Every time I start a project on Cloudflare Workers I end up rebuilding the same plumbing: sessions, a D1-backed API, rate limiting. So I packaged it into a small starter called EdgeKit (Hono + D1 + KV). Sharing the approach here in case it's useful.
Auth without an external bill
No Auth0, no per-MAU pricing — just PBKDF2 via Web Crypto (runs natively on Workers) plus sessions in KV:
const salt = crypto.getRandomValues(new Uint8Array(16));
const key = await crypto.subtle.importKey("raw", enc(password), "PBKDF2", false, ["deriveBits"]);
const bits = await crypto.subtle.deriveBits(
{ name: "PBKDF2", salt, iterations: 100_000, hash: "SHA-256" }, key, 256,
);
// store `pbkdf2$iters$salt$hash`; verify with a constant-time compare
The session token lives in an HttpOnly cookie and maps to a user id in KV with a TTL. Logout just deletes the KV key.
What's in it
- Session auth (KV) + a tenant-scoped D1 CRUD API with migrations
- A KV fixed-window rate limiter guarding the auth routes
- Typed, tested, one-command
wrangler deploy
Live demo (a real Worker you can hit): https://edgekit-storefront.xok.workers.dev
Happy to answer anything about the D1 schema or the rate-limiter design in the comments.
Top comments (1)
Hi, I noticed you discussed building a Cloudflare Workers SaaS starter and publishing to multiple platforms. Clypify can help you manage your content across multiple platforms, including WordPress and Medium. We also support RSS feeds. Free plan at clypify.com — no card needed.