Show HN: Minimal NIST/OWASP-compliant auth implementation for Cloudflare Workers https://ift.tt/s46VMG2

Show HN: Minimal NIST/OWASP-compliant auth implementation for Cloudflare Workers This is an educational reference implementation showing how to build reasonably secure, standards-compliant authentication from first principles on Cloudflare Workers. Stack: Hono, Turso (libSQL), PBKDF2-SHA384 + normalization + common-password checks, JWT access + refresh tokens with revocation support, HTTP-only SameSite cookies, device tracking. It's deliberately minimal — no OAuth, no passkeys, no magic links, no rate limiting — because the goal is clarity and auditability. I wrote it mainly to deeply understand edge-runtime auth constraints and to have a clean Apache-2.0 example that follows NIST SP 800-63B / SP 800-132 and OWASP guidance. For production I'd almost always reach for Better Auth instead ( https://ift.tt/Mw5PoNT ) — this repo is not trying to compete with it. Live demo: https://private-landing.vhsdev.workers.dev/ Repo: https://ift.tt/jMYJRkF Happy to answer questions about the crypto choices, the refresh token revocation pattern, Turso schema, constant-time comparison, unicode pitfalls, etc. https://ift.tt/jMYJRkF February 9, 2026 at 03:30AM