Guardian vs Pow: which is better for Elixir authentication?

Guardian is token-focused and highly flexible, ideal for APIs, custom protocols, and fine-grained control, while Pow is more opinionated with built-in user management and better for traditional web apps with less configuration.

How to implement refresh tokens in Guardian?

Use encode_and_sign with token_type: 'refresh' to create a refresh token, then use the exchange function to swap it for an access token, as detailed in the basics section of the README.

Does Guardian support OAuth integration?

Guardian itself doesn't provide OAuth out of the box, but it can be integrated with OAuth providers through custom implementations or by using libraries like Ueberauth alongside it for broader authentication schemes.

How to handle token expiration and sliding sessions?

Configure ttl in settings for default expiration and use plugs like SlidingCookie to automatically refresh tokens when a minimum TTL remains, based on the examples provided in the documentation.

Can Guardian be used without Phoenix?

Yes, Guardian is decoupled from Phoenix and works with any Plug-based application or even non-web protocols like TCP/UDP, as emphasized in its functional design and integration options.

What's the best way to manage secret keys in production?

Use advanced secret fetchers for key rotation, such as implementing a custom GenServer for dynamic key management, as shown in the key rotation example, rather than hardcoding keys.

guardian — Elixir Token Authentication Library

What is guardian?

Guardian is an authentication library for Elixir applications built around token-based authentication, primarily using JSON Web Tokens (JWT) by default. It provides a flexible, functional system for securing web endpoints, channels, sockets, and other protocols, integrating seamlessly with Plug and Phoenix while remaining decoupled for broader use cases.

Target Audience

Elixir developers building web applications or APIs that require secure authentication, particularly those using the Phoenix framework or Plug-based systems. It is also suitable for developers implementing custom authentication schemes for non-web protocols like TCP/UDP.

Value Proposition

Developers choose Guardian for its extensible, token-based architecture that supports multiple token types and configurations within a single application, along with advanced features like permission encoding and key rotation. Its pluggable design allows customization without imposing rigid structures, making it adaptable to complex authentication flows.

Elixir Authentication

Use Cases

Best For

Securing Phoenix web endpoints and channels with token-based authentication.
Implementing authentication for custom TCP/UDP protocols in Elixir applications.
Building applications that require multiple token types (e.g., access and refresh tokens) within a single system.
Integrating permission-based authorization scopes directly into authentication tokens.
Managing advanced secret configurations, including key rotation and dynamic secret fetching.
Creating custom authentication pipelines with Plug for complex or non-standard authentication flows.

Not Ideal For

Applications requiring traditional session-based authentication without token management
Teams seeking a fully pre-configured, opinionated authentication solution with minimal setup
Projects that need built-in, database-backed token revocation without extra dependencies like GuardianDb
Systems not built on Elixir or not using Plug/Phoenix for web interfaces

Pros & Cons

Pros

Flexible Token Architecture

Supports any token type implementing the Guardian.Token behaviour, with JWT as default, allowing custom claims and tamper-proof payloads for diverse use cases.

Multi-Token Configuration

Enables multiple token types and settings within a single application, such as defining different TTLs for access and refresh tokens via token_ttl configuration.

Advanced Secret Management

Offers options from simple strings to JWK structures and runtime secret fetching, facilitating secure key rotation and dynamic secret handling as shown in the key server example.

Pluggable Design

Integrates seamlessly with Plug for web authentication and supports custom pipelines, making it adaptable to complex flows beyond standard endpoints, including channels and sockets.

Cons

No Built-in Token Tracking

By default, JWT tokens are not tracked; effective revocation requires additional libraries like GuardianDb, adding complexity and dependencies.

Verbose Initial Setup

Requires implementing callbacks like subject_for_token and resource_from_claims, plus configuring pipelines and error handlers, which can be time-consuming compared to drop-in solutions.

Deprecated Features

Some components, such as the VerifyCookie plug, are marked deprecated, indicating potential breaking changes and maintenance challenges in future updates.

What is guardian?

Target Audience

Value Proposition

Use Cases

Best For

Securing Phoenix web endpoints and channels with token-based authentication.
Implementing authentication for custom TCP/UDP protocols in Elixir applications.
Building applications that require multiple token types (e.g., access and refresh tokens) within a single system.
Integrating permission-based authorization scopes directly into authentication tokens.
Managing advanced secret configurations, including key rotation and dynamic secret fetching.
Creating custom authentication pipelines with Plug for complex or non-standard authentication flows.

Not Ideal For

Applications requiring traditional session-based authentication without token management
Teams seeking a fully pre-configured, opinionated authentication solution with minimal setup
Projects that need built-in, database-backed token revocation without extra dependencies like GuardianDb
Systems not built on Elixir or not using Plug/Phoenix for web interfaces

Pros & Cons

Pros

Flexible Token Architecture

Supports any token type implementing the Guardian.Token behaviour, with JWT as default, allowing custom claims and tamper-proof payloads for diverse use cases.

Multi-Token Configuration

Enables multiple token types and settings within a single application, such as defining different TTLs for access and refresh tokens via token_ttl configuration.

Advanced Secret Management

Offers options from simple strings to JWK structures and runtime secret fetching, facilitating secure key rotation and dynamic secret handling as shown in the key server example.

Pluggable Design

Integrates seamlessly with Plug for web authentication and supports custom pipelines, making it adaptable to complex flows beyond standard endpoints, including channels and sockets.

Cons

No Built-in Token Tracking

By default, JWT tokens are not tracked; effective revocation requires additional libraries like GuardianDb, adding complexity and dependencies.

Verbose Initial Setup

Requires implementing callbacks like subject_for_token and resource_from_claims, plus configuring pipelines and error handlers, which can be time-consuming compared to drop-in solutions.

Deprecated Features

Some components, such as the VerifyCookie plug, are marked deprecated, indicating potential breaking changes and maintenance challenges in future updates.

guardian

What is guardian?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

guardian

What is guardian?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?