{"id":50746987,"url":"https://github.com/zitadel/hono-auth","last_synced_at":"2026-06-10T22:01:41.442Z","repository":{"id":356479116,"uuid":"1223583710","full_name":"zitadel/hono-auth","owner":"zitadel","description":"Official Zitadel auth integration for Hono.","archived":false,"fork":false,"pushed_at":"2026-06-08T02:38:58.000Z","size":1161,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-08T04:21:24.102Z","etag":null,"topics":["auth","authentication","authn","authorization","authz","hono","iam","identity","login","nodejs","sso","typescript","zitadel"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/@zitadel/hono-auth","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zitadel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE.txt","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-28T13:11:17.000Z","updated_at":"2026-06-08T02:36:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/zitadel/hono-auth","commit_stats":null,"previous_names":["zitadel/hono-auth"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/zitadel/hono-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fhono-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fhono-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fhono-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fhono-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zitadel","download_url":"https://codeload.github.com/zitadel/hono-auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zitadel%2Fhono-auth/sbom","scorecard":{"id":1247125,"data":{"date":"2026-05-08T08:06:12Z","repo":{"name":"github.com/zitadel/hono-auth","commit":"3d030410a5a58696f1254897cd509c7d74577840"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":5.2,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/commitlint.yml:16","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/commitlint.yml:17","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/linting.yml:24","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/unused.yml:16","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/unused.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/commitlint.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/depcheck.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/linting.yml:19","Warn: topLevel 'contents' permission set to 'write': .github/workflows/pipeline.yml:20","Info: topLevel 'actions' permission set to 'read': .github/workflows/pipeline.yml:21","Warn: topLevel 'checks' permission set to 'write': .github/workflows/pipeline.yml:22","Warn: no topLevel permission defined: .github/workflows/qodana.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:10","Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yml:11","Info: topLevel 'checks' permission set to 'read': .github/workflows/release.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:9","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/typecheck.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/unused.yml:11"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/commitlint.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/commitlint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/linting.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/typecheck.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/typecheck.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unused.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/unused.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/unused.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/zitadel/hono-auth/unused.yml/main?enable=pin","Info:  15 out of  19 GitHub-owned GitHubAction dependencies pinned","Info:  14 out of  18 third-party GitHubAction dependencies pinned","Info:   4 out of   4 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":10,"reason":"SAST tool detected","details":["Info: SAST configuration detected: Qodana","Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v2v4-37r5-5v8g"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"CI-Tests","score":10,"reason":"2 out of 2 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 6 contributing companies or organizations","details":["Info: found contributions from: 1981s, NewFrontDoor, cloudflare, honojs, remarkjs, syntax-tree"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}}]},"last_synced_at":"2026-05-08T09:47:34.385Z","repository_id":356479116,"created_at":"2026-05-08T09:47:34.400Z","updated_at":"2026-05-08T09:47:34.400Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34172196,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","authentication","authn","authorization","authz","hono","iam","identity","login","nodejs","sso","typescript","zitadel"],"created_at":"2026-06-10T22:01:40.662Z","updated_at":"2026-06-10T22:01:41.434Z","avatar_url":"https://github.com/zitadel.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hono Auth.js\n\nA [Hono](https://hono.dev/) integration for [Auth.js](https://authjs.dev/)\nthat provides seamless authentication with multiple providers, session\nmanagement, and route protection using Hono middleware patterns.\n\nThis integration brings the power and flexibility of Auth.js to Hono\napplications with full TypeScript support and Web API-native handling.\n\n### Why?\n\nModern web applications require robust, secure, and flexible authentication\nsystems. While Auth.js provides excellent authentication capabilities,\nintegrating it with Hono applications requires proper middleware composition\nand environment-aware configuration.\n\nHowever, a direct integration isn't always straightforward. Different types\nof applications or deployment scenarios might warrant different approaches:\n\n- **Multi-Runtime Support:** Hono runs on Node.js, Deno, Bun, Cloudflare\n  Workers, and more. A proper integration should handle environment\n  differences transparently while maintaining consistent Auth.js behavior.\n- **Middleware Composition:** Hono's middleware pattern requires proper\n  context variable management and error handling. This integration provides\n  middleware for configuration, authentication handling, and route protection\n  that compose naturally with Hono's middleware pipeline.\n- **Proxy-Aware URL Handling:** When deployed behind reverse proxies or\n  edge networks, proper URL resolution from X-Forwarded headers is critical\n  for Auth.js callback URLs and redirect handling.\n\nThis integration, `@zitadel/hono-auth`, aims to provide the flexibility to\nhandle such scenarios. It allows you to leverage the full Auth.js ecosystem\nwhile maintaining Hono best practices, ultimately leading to a more\neffective and less burdensome authentication implementation.\n\n## Installation\n\nInstall using NPM by using the following command:\n\n```sh\nnpm install @zitadel/hono-auth @auth/core\n```\n\n## Usage\n\nTo use this integration, configure Auth.js using `initAuthConfig()` and\nmount the `authHandler()` on the Auth.js base path.\n\n```typescript\nimport { Hono } from 'hono';\nimport { authHandler, initAuthConfig, verifyAuth } from '@zitadel/hono-auth';\nimport Zitadel from '@auth/core/providers/zitadel';\n\nconst app = new Hono();\n\napp.use(\n  '*',\n  initAuthConfig((c) =\u003e ({\n    secret: c.env.AUTH_SECRET,\n    providers: [\n      Zitadel({\n        clientId: c.env.ZITADEL_CLIENT_ID,\n        issuer: c.env.ZITADEL_ISSUER,\n      }),\n    ],\n  })),\n);\n\napp.use('/api/auth/*', authHandler());\n\napp.use('/api/*', verifyAuth());\n\napp.get('/api/protected', (c) =\u003e {\n  const auth = c.get('authUser');\n  return c.json(auth);\n});\n\nexport default app;\n```\n\n#### Using the Authentication System\n\nThe integration provides several middleware functions:\n\n**Middleware:**\n\n- `initAuthConfig()`: Initializes Auth.js configuration in the context\n- `authHandler()`: Handles all Auth.js routes (sign-in, sign-out, callbacks)\n- `verifyAuth()`: Requires authentication, returns 401 if not authenticated\n\n**Utility Functions:**\n\n- `getAuthUser()`: Retrieves the authenticated user from context\n- `setEnvDefaults()`: Sets environment defaults on Auth.js config\n\n**Basic Usage:**\n\n```typescript\nimport { getAuthUser } from '@zitadel/hono-auth';\n\n// Public route\napp.get('/api/public', (c) =\u003e {\n  return c.json({ message: 'Public endpoint' });\n});\n\n// Protected route - manual check\napp.get('/api/profile', async (c) =\u003e {\n  const authUser = await getAuthUser(c);\n  if (!authUser) return c.text('Not authenticated', 401);\n  return c.json(authUser.session);\n});\n\n// Protected route - using middleware\napp.use('/api/*', verifyAuth());\napp.get('/api/admin', (c) =\u003e {\n  const auth = c.get('authUser');\n  return c.json({ user: auth.session.user });\n});\n```\n\n## Known Issues\n\n- **Configuration Order:** `initAuthConfig()` must be applied before\n  `authHandler()` and `verifyAuth()` in the middleware chain.\n- **Environment Variables:** `AUTH_SECRET` must be set either via\n  environment variables or in the config handler. The middleware throws\n  a 500 error if it's missing.\n\n## Useful links\n\n- **[Auth.js](https://authjs.dev/):** The authentication library that this\n  integration is built upon.\n- **[Hono](https://hono.dev/):** The lightweight web framework this\n  integration is designed for.\n- **[Auth.js Providers](https://authjs.dev/getting-started/providers):**\n  Complete list of supported authentication providers.\n\n## Contributing\n\nIf you have suggestions for how this integration could be improved, or\nwant to report a bug, open an issue - we'd love all and any\ncontributions.\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzitadel%2Fhono-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzitadel%2Fhono-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzitadel%2Fhono-auth/lists"}