Lucia Auth

Lucia is an open-source TypeScript authentication library providing session management primitives rather than a hosted authentication service. Unlike Auth0 or Clerk, Lucia runs within the application codebase and manages sessions using the application's own database — there is no external API to call. For agent integration, Lucia-based authentication means user and session data lives in the application database, accessible to agents through the application's own data layer rather than a third-party auth provider API.

Security in Lucia-based applications is the application team's responsibility — Lucia provides the session security primitives but teams configure session expiry, rotation, and invalidation. The library is designed to make secure session management achievable without deep security expertise, following current best practices for session token generation and validation.

Lucia provides session creation and validation, OAuth provider adapters, and database adapters for Postgres, SQLite, MongoDB, and others. It handles the cryptographic details of session token generation and validation while leaving the data model in the application's control. Agents working with Lucia-protected applications interact with user session state through the application layer, not through Lucia directly.

Reliability depends entirely on the application and database infrastructure, not on a third-party service. This is a fundamental architectural difference from hosted auth services — there is no external dependency that can fail, but the application team owns the full operational surface of the authentication system.

Documentation is thorough and explains the session management model, OAuth integration patterns, and database adapter setup clearly. Teams evaluating Lucia for authentication should understand the trade-off clearly: more control and no vendor lock-in versus the operational responsibility and feature gap compared to full-featured hosted auth services like Auth0 or Clerk.