Drop in OAuth 2.1 for Workers without managing tokens or secrets yourself
GitHub RepoImpressions80
View on GitHub
@githubprojectsPost Author

Drop In OAuth 2.1 for Cloudflare Workers – Without the Headache

You’re building something on Cloudflare Workers and suddenly you need OAuth. Maybe it’s for a public API, a web app, or a service that needs to let users log in with GitHub or Google. Your first thought is probably dread: managing tokens, secrets, refresh flows, CSRF states… it’s a lot.

There’s a new open source project that just makes it a lot easier. It’s called workers-oauth-provider, and it lets you drop in OAuth 2.1 support for your Worker without having to manage tokens or secrets yourself. Let’s look at what it does and why it matters.

What It Does

workers-oauth-provider is a library from Cloudflare that implements the OAuth 2.1 authorization code flow on top of Workers. You define your client IDs, redirect URIs, and scopes in a config file, and it handles the rest: generating authorization codes, exchanging them for tokens, and managing refresh tokens. It works with Cloudflare’s own token store (using Durable Objects or KV, depending on the version), so you don’t need to spin up a database just for auth.

The repository is at github.com/cloudflare/workers-oauth-provider, and it’s designed to be a drop-in middleware for your existing Worker. You just wrap your handler with the OAuth provider, and any protected route automatically checks for a valid token.

Why It’s Cool

The biggest win here is that you don’t have to implement the OAuth dance yourself. That’s usually the part that goes wrong – timing attacks on nonces, invalid state validation, or leaking client secrets. This library abstracts all that away, and because it’s built on Workers, it scales to zero without any extra infrastructure.

Another neat feature is that it supports multiple authorization servers in one Worker. You can have one endpoint for your app’s own login and another for third-party providers like GitHub or Google. The library also includes a built-in consent screen, so you don’t have to build one from scratch.

It’s also worth noting that this uses OAuth 2.1, which is the latest spec that deprecates the implicit flow and adds better recommendations for PKCE. That means you’re getting modern, secure defaults out of the box.

How to Try It

Getting started is straightforward. You can clone the repo and run the example Worker locally:

git clone https://github.com/cloudflare/workers-oauth-provider.git
cd workers-oauth-provider
npm install
cp wrangler.example.toml wrangler.toml
# edit wrangler.toml to set your OAuth config
npm run dev

The example includes a simple frontend and a protected API endpoint. You can also deploy it to your own Cloudflare account with npm run deploy. The README has a full walkthrough, and the code is heavily commented.

If you want to skip the setup, there’s a live demo linked in the repo that shows the flow in action. It’s a small React app that authenticates via the provider and then hits a protected route.

Final Thoughts

If you’re already on Workers and you’ve been avoiding OAuth because it’s tedious, this is a solid option. It’s not a full identity provider – you still need to handle user registration and login yourself – but it handles the token management piece that’s usually the most error-prone. For internal APIs or side projects, this is more than enough. For production, it gives you a clean foundation to build on.

Honestly, I wish I had this two years ago when I was stitching together OAuth for a Worker-based API. It would have saved me a weekend of debugging redirect loops. Give it a try and see if it fits your workflow.

Found this useful? Follow @githubprojects for more dev tools and open source highlights.

Repository: https://github.com/cloudflare/workers-oauth-provider

Back to Projects
Last updated: June 22, 2026 at 03:37 AM