Drop in OAuth 2.1 for Workers without managing tokens or secrets yourself
D

Drop in OAuth 2.1 for Workers without managing tokens or secrets yourself

Drop in OAuth 2.1 for Workers without managing tokens or secrets yourself

1,822 stars
N/A forks
N/A contributors

README

Project documentation from GitHub

Drop In OAuth 2.1 for Cloudflare Workers – Without the Headache

You’re building something on Cloudflare Workers and suddenly you need OAuth. Maybe it’s for a public API, a web app, or a service that needs to let users log in with GitHub or Google. Your first thought is probably dread: managing tokens, secrets, refresh flows, CSRF states… it’s a lot.

There’s a new open source project that just makes it a lot easier. It’s called workers-oauth-provider, and it lets you drop in OAuth 2.1 support for your Worker without having to manage tokens or secrets yourself. Let’s look at what it does and why it matters.

What It Does

workers-oauth-provider is a library from Cloudflare that implements the OAuth 2.1 authorization code flow on top of Workers. You define your client IDs, redirect URIs, and scopes in a config file, and it handles the rest: generating authorization codes, exchanging them for tokens, and managing refresh tokens. It works with Cloudflare’s own token store (using Durable Objects or KV, depending on the version), so you don’t need to spin up a database just for auth.

The repository is at github.com/cloudflare/workers-oauth-provider, and it’s designed to be a drop-in middleware for your existing Worker. You just wrap your handler with the OAuth provider, and any protected route automatically checks for a valid token.

Why It’s Cool

The biggest win here is that you don’t have to implement the OAuth dance yourself. That’s usually the part that goes wrong – timing attacks on nonces, invalid state validation, or leaking client secrets. This library abstracts all that away, and because it’s built on Workers, it scales to zero without any extra infrastructure.

Another neat feature is that it supports multiple authorization servers in one Worker. You can have one endpoint for your app’s own login and another for third-party providers like GitHub or Google. The library also includes a built-in consent screen, so you don’t have to build one from scratch.

It’s also worth noting that this uses OAuth 2.1, which is the latest spec that deprecates the implicit flow and adds better recommendations for PKCE. That means you’re getting modern, secure defaults out of the box.

How to Try It

Getting started is straightforward. You can clone the repo and run the example Worker locally:

git clone https://github.com/cloudflare/workers-oauth-provider.git
cd workers-oauth-provider
npm install
cp wrangler.example.toml wrangler.toml
# edit wrangler.toml to set your OAuth config
npm run dev

The example includes a simple frontend and a protected API endpoint. You can also deploy it to your own Cloudflare account with npm run deploy. The README has a full walkthrough, and the code is heavily commented.

If you want to ski

Did you like this issue?

Join our weekly newsletter

Love discovering amazing projects?

Help us continue bringing you the best open-source discoveries every week.

Back to Projects
Last updated: Jun 21, 2026