🎉 BastionAuth is in public beta. Read the announcement →
Guides
Authentication

Authentication

BastionAuth supports multiple authentication methods out of the box.

Email/Password

The most common authentication method. BastionAuth uses industry-leading security:

  • Argon2id password hashing (64MB memory, 3 iterations)
  • HaveIBeenPwned breach detection
  • Configurable password requirements

Sign Up

import { useSignUp } from '@bastionauth/react';
 
function SignUpForm() {
  const { signUp, isLoading, error } = useSignUp();
 
  const handleSubmit = async (e) => {
    e.preventDefault();
    const formData = new FormData(e.target);
    
    await signUp({
      email: formData.get('email'),
      password: formData.get('password'),
      firstName: formData.get('firstName'),
      lastName: formData.get('lastName'),
    });
  };
 
  return (
    <form onSubmit={handleSubmit}>
      <input name="email" type="email" required />
      <input name="password" type="password" required />
      <input name="firstName" />
      <input name="lastName" />
      <button type="submit" disabled={isLoading}>
        {isLoading ? 'Creating...' : 'Sign Up'}
      </button>
      {error && <p>{error.message}</p>}
    </form>
  );
}

Sign In

import { useSignIn } from '@bastionauth/react';
 
function SignInForm() {
  const { signIn, isLoading, error } = useSignIn();
 
  const handleSubmit = async (e) => {
    e.preventDefault();
    const formData = new FormData(e.target);
    
    const result = await signIn({
      email: formData.get('email'),
      password: formData.get('password'),
    });
 
    if (result.requiresMfa) {
      // Handle MFA challenge
    }
  };
 
  return (
    <form onSubmit={handleSubmit}>
      <input name="email" type="email" required />
      <input name="password" type="password" required />
      <button type="submit" disabled={isLoading}>
        {isLoading ? 'Signing in...' : 'Sign In'}
      </button>
    </form>
  );
}

OAuth Providers

BastionAuth supports major OAuth providers:

  • Google
  • GitHub
  • Microsoft
  • Apple
  • LinkedIn

See OAuth Setup for configuration details.

Magic Links

Passwordless authentication via email:

import { useMagicLink } from '@bastionauth/react';
 
function MagicLinkForm() {
  const { sendMagicLink, isLoading, success } = useMagicLink();
 
  const handleSubmit = async (e) => {
    e.preventDefault();
    const email = new FormData(e.target).get('email');
    await sendMagicLink({ email });
  };
 
  if (success) {
    return <p>Check your email for the magic link!</p>;
  }
 
  return (
    <form onSubmit={handleSubmit}>
      <input name="email" type="email" required />
      <button type="submit" disabled={isLoading}>
        Send Magic Link
      </button>
    </form>
  );
}

Passkeys (WebAuthn)

Modern passwordless authentication using device biometrics:

import { usePasskey } from '@bastionauth/react';
 
function PasskeyButton() {
  const { register, authenticate, isSupported } = usePasskey();
 
  if (!isSupported) {
    return null;
  }
 
  return (
    <button onClick={authenticate}>
      Sign in with Passkey
    </button>
  );
}

Session Management

BastionAuth automatically manages sessions with:

  • Access tokens: 15-minute RS256 JWTs
  • Refresh tokens: 7-day opaque tokens with rotation
  • Automatic refresh: SDK handles token renewal
import { useAuth } from '@bastionauth/react';
 
function Dashboard() {
  const { isSignedIn, user, signOut, getToken } = useAuth();
 
  // Get current access token
  const token = await getToken();
 
  // Sign out (invalidates session)
  await signOut();
}
Getting StartedMulti-Factor Auth