npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@authn-sh/cdk

v0.4.0

Published

AWS CDK constructs for deploying authn.sh on AWS. Self-hosted authentication-as-a-service.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vagnercsouzavagnercsouza

Keywords

authnauthenticationidentityssojwtawscdkconstructsecsfargate

Readme

@authn-sh/cdk

AWS CDK constructs for deploying authn.sh on AWS. Sibling project to the Helm chart.

Pulls ghcr.io/authn-sh/authn:0.3.0 by default and ships with a reference single-account stack — VPC, RDS Postgres (Multi-AZ), ElastiCache for Valkey (Redis-protocol-compatible), ECS Fargate (ARM64) for web / worker / scheduler, internal ALB, ACM, optional CloudFront + WAF. The default tag rolls forward to 0.4.0 once the stable v0.4.0 application image is cut; pass image.tag explicitly to pin a specific (e.g. alpha) build.

Install

npm install @authn-sh/cdk aws-cdk-lib constructs

Quickstart — TypeScript

import { App } from 'aws-cdk-lib';
import { InstanceClass, InstanceSize } from 'aws-cdk-lib/aws-ec2';
import { AuthnSingleAccountStack } from '@authn-sh/cdk';

const app = new App();

new AuthnSingleAccountStack(app, 'Authn', {
  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'us-east-1' },
  config: {
    appUrl: 'https://authn.example.com',
    routingMode: 'subdomain',
    defaultFromEmail: '[email protected]',
    edge: { hostedZoneId: 'Z0123456789ABCDEFGHIJ' },
    database: { instanceClass: InstanceClass.T4G, instanceSize: InstanceSize.SMALL, multiAz: true },
  },
});

cdk deploy and the stack provisions everything.

Quickstart — YAML config

For operators who don't want to write TypeScript, point the reference stack at a YAML file:

# authn.config.yaml
appUrl: https://authn.example.com
routingMode: subdomain
defaultFromEmail: [email protected]

edge:
  hostedZoneId: Z0123456789ABCDEFGHIJ
  customDomainDriver: manual

database:
  instanceClass: t4g
  instanceSize: small
  multiAz: true

cache:
  enabled: true
  multiAz: true
import { App } from 'aws-cdk-lib';
import { AuthnSingleAccountStack, loadConfig } from '@authn-sh/cdk';

const app = new App();
new AuthnSingleAccountStack(app, 'Authn', {
  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'us-east-1' },
  config: loadConfig('./authn.config.yaml'),
});

See examples/single-account-minimal/ for a runnable starter.

Routing modes

  • subdomain (default) — wildcard DNS + TLS required. Each tenant environment lives at <routing_label>.<APP_HOST>. Wildcard ACM cert auto-provisioned in us-east-1 with DNS-01 validation against the configured hosted zone.
  • path — single host. Tenant envs live at <APP_HOST>/<routing_label>. Simpler — no wildcard cert.

Bring-your-own database / cache

Either provision managed RDS + ElastiCache (default) or point at existing endpoints:

database:
  enabled: false
externalDatabase:
  host: postgres.internal
  port: 5432
  database: authn
  username: authn

cache:
  enabled: false
externalRedis:
  host: redis.internal
  port: 6379

Passwords go through the same secrets map as inline credentials — see below.

Secrets

Secrets live in AWS Secrets Manager. Either inject inline values (creates a new secret in your account) or pass an existing Secrets Manager ARN:

secrets:
  existingSecretArn: arn:aws:secretsmanager:us-east-1:123456789012:secret:authn-prod-AbCdEf
  # or:
  values:
    APP_KEY: "base64:..."          # `openssl rand -base64 32 | sed 's/^/base64:/'`
    AUTHN_BOOTSTRAP_ADMIN_EMAIL: [email protected]
    AUTHN_BOOTSTRAP_ADMIN_PASSWORD: change-me-please
    AUTHN_BOOTSTRAP_WORKSPACE_NAME: My workspace
    DB_PASSWORD: ...
    REDIS_PASSWORD: ...
    MAIL_PASSWORD: ...

ECS task definitions reference the secret via the secrets: block — values never appear in env vars or stack outputs.

SMS

v0.4 introduces an SMS engine for phone-number verification and the phone_code second factor. The construct exposes a typed sms block:

sms:
  driver: twilio   # or "vonage" / "null" (default)
  fromNumber: "+15551234567"
  twilio:
    accountSid: ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    authTokenSecretArn: arn:aws:secretsmanager:us-east-1:123456789012:secret:authn-twilio-AbCdEf
    messagingServiceSid: MGxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The *SecretArn fields point at AWS Secrets Manager secrets — the construct wires them onto the web + worker task definitions as ECS secrets. The scheduler doesn't dispatch SMS, so it's left out. Per-environment overrides still go through the BAPI Environment.sms.* config at runtime.

Custom domains

The authn app supports customer-provided domains (e.g., auth.customer.com) via a pluggable driver. The CDK construct provisions the AWS-side resources each driver needs:

| customDomainDriver | Provisions | |---|---| | cloudfront-saas | CloudFront multi-tenant distribution + IAM permissions on the task role for cloudfront:*DistributionTenant* and acm:* | | cloudflare-saas | No AWS-side provisioning; expects CLOUDFLARE_API_TOKEN + CLOUDFLARE_ZONE_ID to be set on the app | | manual (default) | Nothing — operator manages the edge themselves | | null | Tests only |

Custom domains: one CNAME for customers

When you choose cloudfront-saas, the construct provisions the multi-tenant distribution and exports its domain. Point a stable CNAME (e.g., cname.authn.example.com) at it and tell your customers to CNAME their own domains there.

After install

The bootstrap one-shot task runs on first deploy. Tail it via the CloudWatch log group /aws/ecs/<stack>/bootstrap. The first operator's pk_live_… and sk_live_… keys are printed once. Save them.

Upgrade

Bump image.tag and cdk deploy. Migrations run as part of the bootstrap task on each deploy (idempotent).

License

AGPL-3.0-only.