Lucia
Authentication, simple and clean
The Lens
Lynis audits the security configuration of Linux and Unix systems: checks file permissions, installed software, kernel parameters, network settings, and authentication configs. It handles sessions, cookies, and the messy parts of auth, but you own the database, you own the code, and you control every decision. No redirect to someone else's login page.
It works with any database (Postgres, SQLite, MySQL, MongoDB) and any framework (Next.js, SvelteKit, Astro, Express). The API is deliberately minimal: create a session, validate a session, invalidate a session. OAuth, email/password, and magic links are all supported through clean patterns rather than black-box modules.
Completely free under the BSD Zero Clause License, one of the most permissive licenses that exists. No paid tier, no cloud service, no upsells.
The catch: Lucia deprecated itself in early 2025. The maintainer explicitly recommended using it as a learning resource and pattern guide rather than a production dependency going forward. The code works, but don't expect new features or security patches. If you're starting fresh, look at Better Auth (similar philosophy, actively maintained) or Logto for a self-hostable auth server with a UI. If you want a managed service and don't mind the vendor dependency, Clerk or Auth0 handle everything but you lose control.
Free vs Self-Hosted vs Paid
fully free### Pricing Breakdown
**Free tier:** Everything. Lucia is a library, not a service. BSD-0 licensed, literally no restrictions whatsoever.
**Self-hosted:** You host your own database and application. Lucia is just code running in your app. The ops burden is whatever your app already requires. Lucia adds nothing on top.
**Comparison to alternatives:** - Logto: Free self-hosted, cloud starts at $0 (free tier: 50k MAU). Full auth server with admin UI - Clerk: Free up to 10,000 MAU, then $25/mo + $0.02/MAU. Managed, polished, but vendor lock-in - Auth0: Free up to 25,000 MAU, paid starts at $35/mo. Enterprise-grade but complex - Keycloak: Free self-hosted. Enterprise-grade but heavy Java deployment - SuperTokens: Free self-hosted, managed starts at $0 (5,000 MAU free) - Better Auth: Free (MIT). Spiritual successor to Lucia, same philosophy, actively maintained
**The real cost with Lucia:** $0 forever. But since it's deprecated, the hidden cost is maintaining auth code yourself without upstream security patches. That's a real risk. For new projects, the $0/mo self-hosted options (Logto, SuperTokens, Better Auth) give you the same control with active maintenance.
Free forever, but deprecated. Use the patterns, build new projects on Better Auth or Logto instead.
Similar Tools
About
- Stars
- 10,454
- Forks
- 529
Explore Further
More tools in the directory
Get tools like this delivered weekly
The Open Source Drop — the best new open source tools, analyzed. Free.
