API

Kit Components

Kit is a collection of production-grade, fullstack components for AdonisJS. Each component gives you the complete implementation of a feature as code you own and can modify. For the API variant this includes database migrations, model configuration, validators, controllers, routes, MJML email templates, and the Japa functional tests that exercise each endpoint.

Kit components are not a library you import. They are real application code that gets added to your project. Once added, you maintain it alongside the rest of your app. There is no abstraction layer between you and the behavior. When you need to change how login works, you edit AccessTokenController (or SessionController) directly.

What's inside a component

Each component handles the edge cases and security patterns that production applications need. Consider login as an example. Beyond email and password verification, the login component includes:

Dual-key rate limiting: IP-based limiting (10 attempts/min) prevents distributed attacks. Email+IP limiting (5 attempts/min, 20-minute block) prevents targeted brute-force. The penalize strategy counts only failed attempts, so legitimate retries are not punished.
Timing attack protection: Constant-time password comparison prevents attackers from inferring valid emails through response time differences.
Inactive account handling: Users with unverified emails can log in but receive a 403 response on protected routes via VerifiedAccountMiddleware, rather than being shown a confusing "invalid credentials" error.
Two-factor integration: When 2FA is enabled, the login endpoint returns a short-lived encrypted challenge token instead of issuing the real credential. The consumer submits the challenge token along with a TOTP or recovery code to a separate verify endpoint, which then issues the real credential.

Every component follows this same approach. The code handles the scenarios that real applications encounter, not just the happy path.

Your code, your rules

Kit components are added to your project as regular application files. Controllers, validators, mailers, and migrations live in your directories, follow your conventions, and show up in your editor's file tree. There is no Kit runtime, no configuration object, no version coupling. You can rename files, refactor methods, add fields, or delete entire sections. The code is yours from the moment it is added.

Backend only, frontend separate

The API variant assumes your frontend (SPA, mobile app, or other consumer) lives in a separate codebase. The backend emits JSON only and never renders HTML. Email links point at a configured frontend URL (appFrontendUrl), and any state that the Hypermedia variant communicates with redirects or flash messages is replaced with HTTP status codes and JSON response bodies.

Each component still covers the entire backend vertical of a feature. A "forgot password" component is the password reset token migration, the token generation logic, the MJML email template, the rate-limited controller that sends the email, the token verification endpoint, the password update validator, and the routes that wire it all together. The frontend consumer is responsible for the UI layer and reads the JSON contract that the API exposes.

Choose your authentication strategy

The API variant supports two authentication strategies out of the box: opaque access tokens for native, mobile, and third-party consumers, and session cookies for first-party browser apps on the same eTLD as the API. Login, Signup, and Logout guides show both as tabs side by side. All other components are guard-agnostic and work identically with either strategy. The decision is made once in the Login guide and reversible later.

Composable features

Components are designed to layer. Each one is self-contained but builds on a shared foundation:

Setup establishes the base: packages, model mixins, middleware, rate limiters, frontend URL config
Login, Signup, Email Verification add core auth flows
Two-Factor Auth layers on top of login with its own controllers and the encrypted challenge token bridge
Profile Management and Change Password extend the authenticated experience

Add what you need, in the order the guides specify. Each component tells you exactly which previous components it depends on.

Installation Install the Kit CLI, learn how to add components, and understand the JSON contract your frontend will consume.