For most of last year, the cheapest way to ship a security regression in a TypeScript API was a single typo: @ Roles ( ' owener ' , ' admin ' ) // shipped. nobody noticed. forever-403. Enter fullscreen mode Exit fullscreen mode @Roles accepted any string. Tests still passed because they used the spelled-correctly literal. The route silently rejected every request. KickJS v5 fixes this: @Roles is now narrowed by your project's own role union via a one-file declare module augmentation, so misspellings become a compile error before they leave the editor. This post walks the full auth surface in KickJS — AuthAdapter , the AuthStrategy interface, @Authenticated , @Roles , @Public — at a conceptual level, with small generic snippets you can map onto any KickJS app. The shape of auth in KickJS KickJS keeps auth deliberately small. There are three concepts to learn, and they compose cleanly. AuthAdapter — an AppAdapter (the same plug used for observability, swagger, db) constructed via createAuthAdapter() .…