$npx redauth my-new-app

Build | APIs

Without the Boilerplate.

A production-ready Express + TypeScript authentication backend. Device-aware sessions, dual-token JWT with theft detection, Redis rate limiting & caching, BullMQ queues, and Zod v4 validation — all pre-wired. Drop it in and build on top.

10+Core Features
100%TypeScript
0Config Hell
auth.service.ts
let response = await prisma.$transaction(async (tx) => {
  const newUser = await tx.user.create({
    data: {
      name,
      email,
      password: hashedPassword,
    },
  });
  const deviceName = getDevice(req);
  const tokens = await tokenService.generateTokens(
    { id: newUser.id, email },
    device,
    deviceName,
    tx,
  );
  return { user: newUser, tokens };
});
🚀 Production Ready
✅ Type Safe
Scroll

Everything You Need. Nothing You Don't.

Stop wiring up the same infrastructure. Start shipping features.

🔑

Token Management

Dual JWT (access + refresh) with automatic rotation, instant Redis revocation, and replay-attack theft detection that nukes all sessions.

Rate Limiting

Redis sliding-window rate limiting with per-route tiers — general, strict auth, and stricter email limits.

🗄️

Redis Caching

Redis user cache with Zod-validated reads/writes and instant invalidation on logout or account update.

Cron Jobs

Scheduled token cleanup runs every 10 minutes — expired records purged automatically from the database.

📨

Message Queues

BullMQ async email delivery, concurrency 5, 3 retries with exponential backoff, and orphaned token cleanup on final failure.

📧

Email Service

HTML email templates for verification, login alerts, and password reset — all dispatched via BullMQ queue.

🛡️

Zod v4 Validation

Schema-first validation on every endpoint with detailed error messages. Runtime type safety throughout.

🐘

Prisma ORM

Type-safe PostgreSQL queries via Prisma 7 with pg pool adapter. Migrations and indexed relations included.

🔐

Session Management

Device-scoped sessions — one refresh token per device, multiple concurrent sessions, per-session revocation.

⏱️

Timing-Attack Safe

Constant-time mitigations on all sensitive endpoints — login, forgot password, resend email — preventing user enumeration.

Powered by Battle-Tested Tech

Node.jsExpressTypeScriptPostgreSQLPrismaRedisBullMQNodemailerZodJWTbcryptHelmetCORSNode.jsExpressTypeScriptPostgreSQLPrismaRedisBullMQNodemailerZodJWTbcryptHelmetCORS

Up & Running in Minutes

No week-long setup. No rabbit holes. Just plug and ship.

01

Run One Command

Run `npx redauth my-new-app` in your terminal — the full backend scaffolds in seconds.

02

Run Migrations

Run `npx prisma migrate deploy` to apply the PostgreSQL schema in seconds.

03

Start Building

All auth, queues, and cron jobs are pre-wired. Just write your business logic.

Ready to Ship?

Try the live demo — register an account and experience device-aware sessions, email verification, token rotation, and rate limiting firsthand.