Lucia Auth

Minimal, framework-agnostic TypeScript authentication library focused on session management. Provides session creation, validation, and invalidation — nothing more. No built-in OAuth (use Arctic companion library). No magic links (implement yourself). Database adapters for all major databases. Philosophy: give developers the tools to implement auth correctly without opinionated abstractions. Used when you want to own your auth logic.

Evaluated Mar 06, 2026 (0d ago) v3.x

Homepage ↗ Repo ↗ Developer Tools auth sessions typescript minimal database-agnostic cookies open-source

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

Minimal attack surface. Session IDs are cryptographically secure random values. Cookie attributes are application responsibility. MIT open source. Excellent security documentation.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You want minimal, understandable auth code where you control every aspect of the authentication flow, paired with solid session management primitives.

Avoid When

You need plug-and-play OAuth with 50 providers, magic links, and MFA out of the box — use NextAuth.js or Better Auth instead.

Use Cases

• Implement custom username/password authentication with secure session management using Lucia's session primitives
• Add OAuth authentication using Arctic (companion OAuth library) with Lucia for session management
• Build authentication for any Node.js framework (Next.js, SvelteKit, Astro, Hono) using Lucia's framework adapters
• Create database-backed sessions that support session invalidation, multi-device logout, and refresh token patterns
• Learn and implement web authentication from first principles using Lucia's minimal, well-documented primitives

Not For

• Teams wanting batteries-included auth — NextAuth.js or Better Auth provide more out-of-box OAuth and email auth
• Rapid prototyping — Lucia requires implementing more auth logic manually; use Clerk or Auth0 for fastest setup
• Enterprise features (MFA, SAML, org management) without building them yourself — use Auth0 or Keycloak

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: api_key bearer_token

OAuth: No Scopes: No

Provides session primitives — no OAuth built-in. Use Arctic library for OAuth. Session IDs are secure random tokens. Cookie or header-based session validation.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

MIT licensed. Completely free. Solo-maintained by pilcrowOnPaper.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ Lucia v3 dropped session.user — user data must be fetched separately via a join or separate query; no built-in user attachment to session
⚠ OAuth requires the Arctic library separately — Lucia handles sessions; Arctic handles OAuth code exchange and token management
⚠ Session expiration must be handled by the application — Lucia provides expiresAt but doesn't auto-extend sessions
⚠ Database adapter must be correctly configured for your ORM (Drizzle, Prisma, Mongoose) — wrong adapter version causes type errors
⚠ Cookie security attributes (SameSite, Secure, HttpOnly) must be set by the application — Lucia provides the cookie value but not the full cookie options
⚠ Solo-maintained project — bus factor risk; consider this for critical infrastructure decisions

Alternatives

nextauth-api better-auth-api clerk-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Lucia Auth.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.