Every time I start a project on Cloudflare Workers I end up rebuilding the same plumbing: sessions, a D1-backed API, rate limiting. So I packaged it into a small starter called EdgeKit (Hono + D1 + KV). Sharing the approach here in case it's useful.
Auth without an external bill
No Auth0, no per-MAU pricing — just PBKDF2 via Web Crypto (runs natively on Workers) plus sessions in KV:
const salt = crypto.getRandomValues(new Uint8Array(16));
const key = await crypto.subtle.importKey("raw", enc(password), "PBKDF2", false, ["deriveBits"]);
const bits = await crypto.subtle.deriveBits(
{ name: "PBKDF2", salt, iterations: 100_000, hash: "SHA-256" }, key, 256,
);
// store `pbkdf2$iters$salt$hash`; verify with a constant-time compare
The session token lives in an HttpOnly cookie and maps to a user id in KV with a TTL. Logout just deletes the KV key.
What's in it
- Session auth (KV) + a tenant-scoped D1 CRUD API with migrations
- A KV fixed-window rate limiter guarding the auth routes
- Typed, tested, one-command
wrangler deploy
Live demo (a real Worker you can hit): https://edgekit-storefront.xok.workers.dev
Happy to answer anything about the D1 schema or the rate-limiter design in the comments.
Top comments (0)