// the find
ueberauth/guardian
Elixir Authentication
Guardian is the standard JWT authentication library for Phoenix/Elixir applications. It handles token encoding/decoding, Plug pipelines for web requests, and optional permissions encoding into tokens. If you're building a Phoenix app that needs token-based auth, this is the library you reach for first.
The behaviour-based design — you implement two functions and get a full token system — is clean and idiomatic Elixir. The `key` concept for multiple simultaneous token contexts (e.g. impersonation) is genuinely useful and not something most auth libraries think about. Key rotation is first-class via the `SecretFetcher` behaviour with a GenServer example that actually shows the tradeoffs. The pluggable `token_module` means JWT is the default but you can swap it out without rewriting your auth logic.
JWT revocation is not built in — you need GuardianDb for that, which means adopters frequently discover halfway through that stateless tokens don't support logout without a separate package and database table. The permissions system (bitwise-encoded claims in the token) is limited to one level of nesting and explicitly not for dynamic permissions, which rules out most real RBAC scenarios. The Plug pipeline API has accumulated deprecation debt — `VerifyCookie` is deprecated, `refresh_from_cookie` is the replacement, but the docs in multiple places still show the old pattern. There's no built-in PKCE or OAuth2 flow support; Guardian handles token mechanics, not auth handshakes.