Every way to sign in
Password, passwordless, social, passkey, magic link, recovery phrase. Your users pick the method they trust — you get a unified session.
Email + Password
Argon2id hashing, zxcvbn strength scoring, HaveIBeenPwned breach check, configurable password history.
Passkeys / WebAuthn
FIDO2 hardware keys and biometric authenticators with direct attestation and Conditional UI autofill.
Magic Links
One-click passwordless email sign-in. Configurable TTL, per-email rate limit, optional signup for new users.
Social OAuth (PKCE)
Google, GitHub, Apple with PKCE S256. 2FA enforced on every subsequent federated sign-in.
Recovery Phrase
BIP-39 mnemonic (12 or 24 words) with optional passphrase. Post-quantum safe at 256-bit entropy.
Device Flow (RFC 8628)
Sign in on TVs, CLI tools, and IoT devices with a short human-readable code.
Defense in depth
Layer second factors on top of any primary method. Mandatory for federated sign-in, optional everywhere else, configurable per policy.
TOTP
Google Authenticator, Authy, and any RFC 6238 app.
Email OTP
6-digit code to verified email, 10-minute TTL.
SMS OTP
Via Twilio Verify or direct message mode.
Backup Codes
8 one-use codes in XXXX-XXXX format, SHA-256 hashed.
Post-quantum, privacy-first
Built for the quantum era. Every session, token, and secret is protected with algorithms that resist both classical and quantum attacks.
ML-DSA-44 Sessions
Post-quantum digital signatures on every session. Verified on resume; forgery-detected sessions revoked instantly.
AES-256-GCM at Rest
TOTP secrets, OAuth tokens, PQC keys, LDAP passwords — all AES-256-GCM encrypted before storage.
Pairwise Privacy
Each app gets a unique, app-specific user identifier. Apps cannot correlate users across services.
Adaptive Threat Detection
ML-powered risk scoring: new IP, new device, unusual hours, burst detection. Step-up or block automatically.
Conditional Access
IP allowlist/blocklist, geo-blocking, CAPTCHA after N failures, org-level access policies.
Token Rotation
Refresh token rotation with family-based replay detection. DPoP proof-of-possession (RFC 9449).
Standards-compliant federation
Full OAuth 2.0 Authorization Server, OpenID Connect Provider, SAML 2.0 IdP, and SCIM 2.0 provisioning. Not just compatible — conformant.
OAuth 2.0 / OIDC
Authorization code + PKCE, client credentials, device flow, token exchange (RFC 8693), PAR (RFC 9126).
SAML 2.0 IdP
SSO, SLO, signed assertions, attribute mapping, pairwise NameID, compression-bomb protection.
SCIM 2.0
User and group provisioning. Bulk operations, filter queries, PATCH support, org-scoped tokens.
Dynamic Client Registration
RFC 7591 with rate limiting and scope whitelisting. Authenticated, admin, or open policy.
Backchannel Logout
RS256 logout tokens to every RP. Frontchannel iframe logout supported too.
Custom Claims
Per-client claim mappings: static values, user fields, roles. Resolved at token issuance.
Everything from one panel
Full admin dashboard, developer console, webhooks, audit trail, analytics, and bulk operations. Ship faster, debug easier.
Real-time Analytics
DAU/WAU/MAU, login trends, 2FA adoption, auth method breakdown, failed login rates.
Tamper-Proof Audit
Hash-chained audit events with actor binding. Every admin action logged; integrity verifiable.
Webhooks
HMAC-SHA256 signed payloads for user.created, login, logout, password change, OAuth consent.
Organizations
Multi-tenant isolation, member roles (owner/admin/member), invitation-based onboarding.
Impersonation
Admin can impersonate users for support — session-bound, audit-logged, auto-revoked on logout.
SDKs
JavaScript/TypeScript and React SDKs with PKCE, token lifecycle, typed errors, and logout.