Schema Validation Strategy for Aura Auth v1

[halvaradop]

Hi Aura Stack community,

Today, we want to discuss the future of schema validation support in Aura Auth and gather feedback from the community before the first major release. Aura Auth currently provides schema validation through the identity.schema option in the createAuth function. This validation runs across internal authentication flows to ensure that identity data and JWT claims match the expected structure defined by the application. This adds an additional security layer by limiting the data managed by the application to only the fields explicitly allowed by the schema. It also helps mitigate scenarios where attackers attempt to inject unexpected or malicious claims into sessions or tokens.

Currently, Aura Auth supports the following schema validation libraries:

• Zod
• Valibot
• ArkType
• TypeBox

These validators are used internally in endpoints and flows such as:

• GET /session
• PATCH /session
• GET /callback/:oauth

At the moment, all supported schema validation libraries are installed directly by Aura Auth. The goal behind this decision was to provide a zero-configuration experience, allowing users to choose any supported validator without needing additional setup.

However, this approach also introduces several concerns:

• increased package size
• larger bundle output
• unnecessary dependencies for most applications
• duplicated functionality across multiple schema libraries

In practice, it is uncommon for a single application to use multiple schema validation libraries simultaneously. For example, using both Zod and ArkType in the same project is relatively rare.

Because of this, including all validators by default conflicts with one of the core goals of Aura Stack: keeping packages lightweight, focused, and framework-agnostic.

For reference, the current dependencies can be seen here:

auth/packages/core/package.json

Lines 90 to 93 in 6781c7c

	"arktype": "^2.2.0",
	"typebox": "^1.1.38",
	"valibot": "^1.3.1",
	"zod": "catalog:zod-v4"

The idea currently being discussed internally is to reduce the default bundle size by selecting a single schema validation library as the default option and removing the others from the core package.

At the moment, our leading candidate is TypeBox or Valibot, mainly because of its:

• small bundle size
• good performance characteristics
• strong TypeScript integration

However, before making a final decision, we want to hear feedback from the community.

The main question is:

What should Aura Auth provide by default?

Possible directions:

1. Include a single default validator (e.g. TypeBox)
2. Keep Zod as the default for ecosystem familiarity
3. Remove all built-in validators and require users to install the validator they want
4. Disable schema validation by default unless explicitly configured

Please share your thoughts and explain the reasoning behind your preference.

Consider factors such as:

• performance
• bundle size
• ecosystem adoption
• developer experience
• compatibility
• long-term maintainability

We would really appreciate feedback before finalizing the direction for v1.