Voult.dev is a developer-first authentication platform that provides secure, scalable, and easy-to-integrate authentication APIs for modern web applications.
It handles the hard parts of auth — user management, email verification, password resets, magic links, OAuth integration, JWT handling, and account security — so developers can focus on building products, not auth systems.
Live: https://www.voult.dev
- User registration (email + password, or username + password)
- Secure login & logout (email-based or username-based)
- Magic link authentication (passwordless login)
- JWT-based authentication with token versioning
- Email verification flow
- Password reset (forgot & reset)
- Password strength enforcement
- Prevent login for:
- Unverified emails
- Disabled accounts
- OAuth middleware for API routes
- Multi-provider configuration (in development)
- Seamless provider integration
- Soft delete (disable account)
- Re-enable disabled accounts
- Token revocation via
tokenVersion - Current user (profile) endpoint (
/me) - Username and email-based account lookup
- API-first architecture
- Clean MVC structure
- Built for extensibility
- SDK support (WIP)
- Rate-limited sensitive endpoints
- Comprehensive input validation
- Atomic operations for data integrity
- Backend: Node.js, Express
- Auth: JWT, OAuth middleware
- Database: MongoDB + Mongoose
- Templating: EJS (for emails & views)
- Security: bcrypt, rate limiting, validation middleware, atomic transactions
- Frontend (Landing / Docs): HTML, CSS, JavaScript, React.js
This application uses csurf to protect all state-changing routes.
- HTML forms include a hidden field named
_csrf. - The CSRF token is injected into EJS templates as
csrfToken. - Example:
<input type="hidden" name="_csrf" value="<%= csrfToken %>">
- A client can fetch a fresh token from
GET /auth/csrf-token. - The app exposes this endpoint for JS-based workflows.
- Use the token in subsequent requests with the
X-CSRF-Tokenheader.
Example fetch flow:
const response = await fetch('/auth/csrf-token', {
method: 'GET',
credentials: 'include'
});
const { token } = await response.json();
const loginResponse = await fetch('/api/auth/login', {
method: 'POST',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': token
},
body: JSON.stringify({ email, password })
});- CSRF protection applies to web routes and API routes that mutate state.
- API requests require either the
X-CSRF-Tokenheader or_csrfquery/body token. - The server also uses session-based CSRF tokens, so
credentials: 'include'is required for cross-origin-safe requests.
voult/
├── config/ # App & auth configuration
├── controllers/ # Request handlers (auth, users, OAuth, magic links, etc.)
├── models/ # Mongoose schemas
├── routes/ # API routes
├── services/ # Business logic (tokens, email, OAuth, magic links, etc.)
├── validators/ # Input validation logic
├── utils/ # Shared utilities
├── views/ # EJS templates
├── public/ # Static assets
├── TODO.md # Product roadmap
└── structure.md # Architecture notesRecent Enhancements (May 2026):
- Enhanced magic link functionality with atomic token claiming and redirect URI allowlisting (WIP)
- API rate limiting for magic link routes
- JWT middleware improvements for cleaner user data handling
- Username-based authentication (registration & login)
- OAuth middleware integration for multi-provider support
- Email service configuration updates for consistency
- Javascript SDK
This project is 4 months away from launch.