Skip to main content

Documentation Index

Fetch the complete documentation index at: https://fabricate.build/docs/llms.txt

Use this file to discover all available pages before exploring further.

Authentication is one of the most common things people ask Fabricate to build. Just describe the auth flow you want, and Fabricate generates the complete implementation — frontend forms, API routes, session management, and database schema.

Adding Authentication

Just ask: 
"Add user authentication with email and password sign up and login"
Or be more specific: 
"Add authentication with:
- Email/password sign up with email verification
- Login with remember me option
- Password reset via email
- Protected routes that redirect to login if not authenticated"

What Gets Generated

When you add authentication, Fabricate creates: Database tables:
  • users — stores user accounts
  • sessions — manages login sessions
  • password_reset_tokens — for password recovery (if requested)
API routes:
  • POST /api/auth/signup — create account
  • POST /api/auth/login — authenticate and create session
  • POST /api/auth/logout — destroy session
  • GET /api/auth/session — check current auth state
  • POST /api/auth/reset-password — initiate password reset (if requested)
Frontend:
  • Login page with form validation
  • Sign up page with error handling
  • Auth context/provider for state management
  • Protected route wrapper component
  • User menu with logout button

Self-Contained JWT Auth

Fabricate writes a complete, self-contained authentication system directly into your app — there’s no third-party auth provider to sign up for or configure. Everything runs in your own code and database:
  • Hashed passwords stored in your users table — never plain text
  • JWTs (JSON Web Tokens) issued on login to authenticate requests
  • A sessions table in your D1 database to track and revoke active sessions
Because the auth code lives in your codebase, you own it completely. You can read it, modify it, and export it — with no external dependency or vendor lock-in.

Auth Patterns

Email + Password (Default)

The most common pattern. Secure, uses bcrypt for password hashing and issues a JWT on successful login.

Social Login

"Add Google login alongside the existing email/password auth"

"Replace the password flow with magic link authentication — users enter their email 
and get a login link sent to them"

Security Best Practices

Fabricate’s generated auth code follows security best practices:
  • Passwords hashed with bcrypt (not stored in plain text)
  • JWTs are signed with a secret and verified on every protected request
  • A sessions table in D1 tracks active sessions, so logins can be revoked
  • Tokens delivered via HttpOnly, Secure cookies to prevent XSS theft
  • Input validation on all auth endpoints

Frequently Asked Questions

Yes. Ask Fabricate to add roles: “Add admin and user roles. Admins can access the /admin dashboard, regular users cannot.”
Yes: “Add email verification — users must verify their email before they can log in.”
Ask Fabricate to add the specific OAuth provider you want. It will generate the OAuth flow, callback routes, and database updates needed.
Login issues a signed JWT, which is delivered to the browser in an HttpOnly cookie. A sessions table in your Cloudflare D1 database tracks active sessions so they can be revoked. Both the auth code and the database live in your own app.
No. Fabricate generates a self-contained JWT authentication system written directly into your app — hashed passwords, signed JWTs, and a sessions table. There’s no external auth service to sign up for, and no vendor lock-in.