This document captures the reproducible load benchmark for the core auth lifecycle.
The benchmark exercises:
- user registration
- session creation
- authenticated profile fetch
- refresh-token rotation
- refresh replay rejection
Run the benchmark stack with Docker Compose:
npm run prisma:migrate:deploy
docker compose -f docker-compose.yml -f docker-compose.benchmark.yml up --build --abort-on-container-exit --exit-code-from k6 k6The k6 summary JSON is written to:
tests/load/results/auth-benchmark-summary.json
session_lifecycle:5VUs for20srefresh_replay:5VUs with25iterations after a2sdelay
- Application stack: Docker Compose (
app, PostgreSQL 16, Redis 7) - Runtime: Node.js 20 in the project Docker image
- Load generator:
grafana/k6:0.49.0 - Benchmark-only override:
RATE_LIMIT_MAX_REQUESTS=1000000to avoid measuring the local abuse-control ceiling instead of the auth lifecycle - Metrics threshold gates:
http_req_failed < 1%p95(http_req_duration{expected_response:true}) < 750msp99(http_req_duration{expected_response:true}) < 1200ms
Latest recorded run:
- Executed on March 11, 2026
- Total iterations:
175 - Total HTTP requests:
650 - Aggregate request throughput:
25.01 req/s - Aggregate iteration throughput:
6.73 iter/s - Average request latency:
266.66ms p95request latency:684.36msp99request latency:900.44ms- Check pass rate:
100%(1050/1050) - Threshold result: pass
Scenario notes:
session_lifecyclecompleted50full register/login/profile loops with5VUs across20srefresh_replaycompleted125replay-detection iterations with5VUs across24.0s
Interpretation:
- The service remained functionally correct throughout the run, including refresh replay rejection under concurrent auth traffic.
- The local container baseline stayed under the benchmark gates, but it is not a production capacity claim.
- This report is intended as reproducible proof of performance discipline for the repository, not as formal certification.