Libraries for Custom Authentication Flows

Every auth library promises flexibility.Only one standardizes it.Pubflow IS the Trust Layer Standard.

Stop reinventing sessions, tokens, and revocation on every project. Pubflow is the portable, language-agnostic architecture that defines how custom authentication flows should work — in any language, on most databases, with zero vendor lock-in.

Start free — no card requiredExplore the library
Any language · official + community kitsMost databases — one env var to switchZero lock-in · self-host or managed
3–8 wks
average time to build custom auth from scratch
6 core
concepts every custom auth flow requires
1 standard
that packages all of them — Pubflow

What Custom Auth Flows Actually Require

Most auth libraries handle "sign in with email". Custom auth means controlling every part of the flow — session shape, token types, per-route validation, multi-db portability, and language freedom.

Custom OAuth Providers

Add any OAuth provider — not just the pre-packaged ones. Define custom scopes, callback behavior, and token mapping for any identity source.

Custom Session Shape

Control exactly what lives in a session. Flowless issues Trust Session Tokens — opaque to the client, validated server-to-server only via Bridge Validation.

PASETO Trust Tokens

Single-use, Ed25519-signed tokens for magic links, email verification, password reset, and org invitations. Cryptographic. Time-limited. Built into the standard.

Per-Route Validation Modes

STANDARD (session + IP), ADVANCED (+device fingerprint), STRICT (+user-agent). Select validation strictness per route — granular control over every endpoint.

Multi-Database Portability

PostgreSQL, MySQL, LibSQL/Turso, Neon, PlanetScale, CockroachDB. Switch your entire database with one environment variable — zero code change required.

Language Freedom

The Trust Layer Standard concepts are portable. Official TypeScript/Node.js kit. Community implementations for Python, Go, and Elixir. Any language can adopt it.

Trust Layer Architecture

The Architecture Behind Custom Auth

Three components. One portable standard. Each plays a distinct role in the trust flow — and together they cover every custom auth scenario.

The Trust Layer

Flowless

Manages identity, sessions, OAuth, 2FA, and password reset. Issues Trust Session Tokens (opaque to client) and Trust Tokens (PASETO single-use). Managed or self-hosted.

  • Login · OAuth · 2FA · Password reset
  • Trust Session Tokens — opaque session_id to client
  • Trust Tokens — PASETO Ed25519 single-use actions
  • HybridCache: <1ms session validation · 97% hit rate
The Protocol

Bridge Validation

Server-to-server protocol connecting Flowfull to Flowless. Validates sessions with a shared bridge_secret. The Trust Session Token payload never reaches the client.

  • Server-to-server only — client never sees payload
  • Shared bridge_secret authentication
  • Instant revocation — no expiry-wait window
  • Cryptographically signed — no JWT alg confusion
Your Business Logic

Flowfull

Your code, your language, your database. Trusts Flowless for identity — owns the answer for what the user can do. Authorization, permissions, and rules entirely yours.

  • Any language — Node.js, Python, Go, Elixir
  • Your database, your schema, your rules
  • Authorization logic you control 100%
  • Stateless — scale horizontally forever
Deep dive into the Trust Layer

Any Language. One Standard.

The Trust Layer Standard concepts are language-agnostic. Official starter kits and community implementations let you build custom auth flows in your preferred stack.

TypeScript / Node.js
Hono · Express · Fastify
Official
Python
FastAPI · Django · Flask
Community
Go
gin · chi · standard lib
Community
Elixir
Phoenix · Plug
Community
Rust
Axum · Actix-Web
Coming soon
View all kits in the Library

Bridge Validation in Action

Stop writing session validation logic from scratch. The Trust Layer Standard gives you a proven, auditable pattern — in any language, starting in minutes.

The Old Way
// Manually validate JWT
// — exposed to alg confusion attacks
const decoded = jwt.verify(
  token,
  process.env.JWT_SECRET
);

if (!decoded) {
  return res
    .status(401)
    .json({ error: "Unauthorized" });
}

// ✗ No revocation — wait for expiry
// ✗ No device context captured
// ✗ One validation mode for all routes
// ✗ Client holds full JWT payload
The Pubflow Way
// Bridge Validation — Trust Layer Standard
// session_id is opaque. Payload stays backend-only.
const session = await flowless.validate(
  session_id,
  {
    mode: "ADVANCED"   // +device fingerprint
    bridge_secret: env.BRIDGE_SECRET
  }
);

// ✓ Instant revocation — no expiry wait
// ✓ 97% cache hit rate  (<1ms validation)
// ✓ Per-route validation modes
// ✓ Client only holds opaque session_id

session_id is opaque to the client. The full validated payload — user, device fingerprint, IP, metadata — travels Flowless → Flowfull only, server-to-server, never exposed.

7 Portable Concepts. Every Custom Auth Flow. Any Language.

These concepts work identically in TypeScript, Python, Go, and Elixir. Learn them once — apply them everywhere. Explore the full schema to see the database structure.

01

Bridge Validation

The distributed auth protocol. Flowfull validates sessions with Flowless server-to-server using a shared bridge_secret — payload never touches the client.

02

Trust Session Tokens

Opaque session_id to client. The cryptographically validated payload stays backend-only — never exposed in localStorage or cookies.

03

Trust Tokens (PASETO)

Single-use Ed25519-signed tokens for email verification, magic links, org invitations, and password reset. Time-limited. Invalidated after use.

04

Validation Modes

STANDARD, ADVANCED, STRICT — three layered security profiles. Select per route. Granular control over every endpoint's trust requirements.

05

HybridCache

3-tier cache: LRU (in-memory, <0.1ms) → Redis (distributed, <1ms) → Database (~50ms). 97% hit rate on session validation at scale.

06

Auth Middleware

Route-level protection pattern. Attach to any route in any framework with a single function call. Consistent across all languages.

07

Multi-Database Abstraction

PostgreSQL, MySQL, LibSQL, Neon, CockroachDB. Swap databases with one environment variable — zero application code change required.

Explore the full schema

Pubflow vs The Alternatives

Custom authentication flows require more than a sign-in widget. See how Pubflow compares on the features that actually matter.

FeatureAuth0FirebaseClerkSupabasePubflow
Custom OAuth providers
Custom session payload shape
Per-route validation modes
PASETO / Trust Tokens
Language portability
Database freedom
Instant session revocation
Self-hostable
Zero vendor lock-in

Auth0 and Clerk offer partial language support via SDKs. Supabase is PostgreSQL-only. Firebase locks you into Google infrastructure. "Partial" = limited or SDK-dependent support.

Start Free. Scale Without Lock-in.

From free to enterprise — the Trust Layer Standard on your terms.

Free
$0

Start building custom auth flows for free. No credit card required.

  • 2 deployment slots + Flowless managed
  • Full Trust Layer — Bridge Validation included
  • 1 cloud database · community support
Start free
Most popular
A1 — Starter
$5/mo

Real features from day one. Ship your custom auth flow today.

  • 3 slots · 100K req/mo · 8 BYOD DBs
  • Custom domain + full Trust Layer
  • Email support
Get started
Enterprise
Custom

Full custom auth flows at scale. Dedicated support, SLA, and negotiable limits.

  • Unlimited slots · custom request quota
  • Dedicated Flowless instance + custom SLA
  • Dedicated onboarding + 200 BYOD DBs
Contact us
View full pricing

Build your custom auth flow in minutes.

Not weeks. Pubflow IS the Trust Layer Standard — the portable, language-agnostic architecture that turns months of auth infrastructure work into hours. Start free. Own it forever.

Start building freeExplore the architecture

✓ Free plan available · No credit card required