Aura Auth
Integrations

Cloudflare Workers

Build your first authentication flow with Aura Auth and Cloudflare Workers

This guide walks you through implementing Aura Auth in a Cloudflare application with complete support. If you haven't configured Aura Auth yet, start with the Installation Guide and Quick Start Guide to set up your Auth instance and environment variables. Then follow the steps in this guide to integrate Aura Auth with your Cloudflare Worker application.

Environment Setup

Using the wrangler CLI or the Cloudflare dashboard, add the required secret environment variables. Workers read secrets from the env argument rather than process.env.

Cloudflare Workers also support secret bindings in the dashboard, which is the preferred option for production deployments.

npx wrangler secret put AURA_AUTH_SECRET
npx wrangler secret put AURA_AUTH_SALT
npx wrangler secret put AURA_AUTH_GITHUB_CLIENT_ID
npx wrangler secret put AURA_AUTH_GITHUB_CLIENT_SECRET

As a second option, you can define the variables locally in a .env file and generate the Env type with the wrangler CLI:

wrangler types

Setup Aura Auth

Set up your auth.ts file in src/lib/ and configure Aura Auth for your Cloudflare Worker.

src/lib/auth.ts
import { createAuth } from "@aura-stack/auth"

export const auth = createAuth({
  oauth: ["github"],
  basePath: "/api/auth",
})

export const { handlers, jose, api } = auth

basePath must match the route you expose in your worker. If the route changes, update the auth config and handler together.

Mount HTTP Handlers

Because Workers pass environment variables into the fetch execution context, keep your auth setup in a separate module and route /api/auth/* requests to handlers.ALL.

The worker below delegates only auth requests to Aura Auth and returns a 404 for everything else.

src/index.ts
import { handlers } from "./lib/auth"

export default {
  async fetch(request: Request): Promise<Response> {
    const pathname = new URL(request.url).pathname
    if (pathname.startsWith("/api/auth/")) {
      return await handlers.ALL(request)
    }
    return new Response("Not Found", { status: 404 })
  },
} satisfies ExportedHandler<Env>

Use this pattern when you want a single worker to handle both auth endpoints and a small number of custom routes.

Common Pitfalls

  • Keep basePath aligned with the worker route. If your auth endpoint is /api/auth/*, the auth config should use basePath: "/api/auth".
  • Use Cloudflare secret bindings in production. Workers should read credentials from env, not from process.env.
  • Keep the auth logic in one module. Import src/lib/auth.ts from your worker entry point so the handlers stay shared and consistent.
  • Return a 404 for non-auth routes. That keeps the worker behavior explicit and easier to debug.

Resources

Oak

Integrate Aura Auth with Oak (Deno)

Supabase Edge Functions

Integrate Aura Auth and Supabase Edge Functions

On this page

Environment SetupSetup Aura AuthMount HTTP HandlersCommon PitfallsResources