Installation

Auth is coupled to @warlock.js/core — you’re already inside a Warlock project before this page makes sense. If you don’t have one, scaffold it via core’s getting-started first.

Install the package

npm

npm install @warlock.js/auth

yarn

yarn add @warlock.js/auth

pnpm

pnpm add @warlock.js/auth

Register migrations + CLI commands

@warlock.js/auth ships two Cascade migrations (one per token table) and two CLI commands. Wire them in warlock.config.ts:

warlock.config.ts

import {
  authMigrations,
  registerAuthCleanupCommand,
  registerJWTSecretGeneratorCommand,
} from "@warlock.js/auth";
import { defineConfig } from "@warlock.js/core";

export default defineConfig({
  cli: {
    commands: [
      registerJWTSecretGeneratorCommand(),
      registerAuthCleanupCommand(),
    ],
  },
  database: {
    migrations: authMigrations,
  },
});

authMigrations is an array — [AccessTokenMigration, RefreshTokenMigration]. If you already have a migrations array, spread them in: migrations: [...mine, ...authMigrations].

Generate the JWT secret

The package signs tokens with secrets from .env. Generate them once per environment:

npm

npx warlock jwt.generate

yarn

yarn warlock jwt.generate

pnpm

pnpm warlock jwt.generate

This writes JWT_SECRET=... and JWT_REFRESH_SECRET=... into .env (or .env.development / .env.production if .env is missing). The command is idempotent — it skips keys that already exist.

Caution

Don’t commit .env. The default Warlock .gitignore already excludes it. In production, the secrets come from your secret manager (Vault, AWS Secrets Manager, k8s secrets) — generate them there directly and skip this command.

Run the migrations

npm

npx warlock migrate

yarn

yarn warlock migrate

pnpm

pnpm warlock migrate

You should now have access_tokens and refresh_tokens tables in your database.

Verify the install

import { authService, authMiddleware, Auth } from "@warlock.js/auth";

console.log(typeof authService.login);       // "function"
console.log(typeof authMiddleware);          // "function"
console.log(Auth.name);                       // "Auth"

All three should resolve. If they don’t, the package isn’t in your node_modules — re-run the install.

Related

• Configuration — set up src/config/auth.ts.
• First protected route — build the smallest end-to-end auth flow.
• Run auth commands — jwt.generate + auth.cleanup details.