OptionalsessionSession cookie (default). true ⇒ default cookie name; or pass a custom cookie name.
OptionalbearerBearer token (the bearer plugin).
OptionalapiAPI key (the apiKey plugin). true ⇒ default "x-api-key" header; or pass a custom header.
OptionaltwotwoFactor plugin — MFA on top of the session (no new wire scheme; gates via the mfa:verified scope).
Optionalpasskeypasskey (WebAuthn) plugin — a credential method that authenticates INTO a session (no new wire scheme).
Optionalorganizationorganization plugin — multi-tenancy via org:<id>:<scope> scopes (no new wire scheme).
@suluk/better-auth— official Better-Auth-on-Hono support for the Suluk derivation engine.Better Auth is a Contract input (auth settings). This package: (1) derives v4 securitySchemes from the enabled auth methods; (2) ingests Better Auth's own OpenAPI 3.0 output (normalizing it to 2020-12) and lifts it to v4 via @suluk/openapi-compat, then merges it into the app doc — so the auth surface is documented without re-typing; (3) maps a Better Auth session to a { scopes } principal that feeds
@suluk/hono's per-viewer emitV4; (4) mounts the auth handler on Hono. CANDIDATE tooling.