Everything auth should be. Nothing you'd outgrow.

One API for user identity and authorization. The bits other providers charge Enterprise for — in the free tier. Drop in the SDK and stop maintaining auth code.

Email + password

Verification flows, password reset, rate-limited sign-in, and strong-password checks by default.

  • Token-based email verification + reset
  • Per-IP and per-account rate limits
  • Passwords hashed with bcrypt (work factor configurable)
  • Pluggable strong-password policy on tenant

Social sign-in

Google and Apple ready out of the box. Drop-in buttons, ID-token verification, email-based account linking.

  • Google + Apple wired by default
  • Per-tenant client IDs (BYO or shared)
  • ID-token verification with JWKS rotation
  • Email-based account linking on first sign-in

MFA + backup codes

TOTP with any authenticator app, backup codes you can print, and step-up gates driven by Condition keys.

  • TOTP via any RFC 6238 authenticator
  • Single-use backup codes, hashed at rest
  • Step-up auth driven by IAM Condition keys
  • MFA enrolment surfaced in the portal + API

OIDC provider

Full discovery, JWKS, authorize, token, userinfo, end-session, plus RFC 8628 device flow for CLIs.

  • OIDC discovery + JWKS endpoints
  • authorize / token / userinfo / end-session
  • RFC 8628 device flow for headless clients
  • Refresh tokens with rotation + reuse detection

AWS-IAM-style policies

The exact JSON shape your devs already know. Canned Admin / Developer / ReadOnly / Billing per service.

  • Effect / Action / Resource / Condition JSON
  • Canned per-service tiers (Admin / Developer / ReadOnly / Billing)
  • Attachable to users, groups, roles, or service accounts
  • authz/check API for downstream service guards

HMAC access keys

AKIA long-term + ASIA session keys. HMAC-SHA256 signing, ±5 min skew window, constant-time compare.

  • AKIA long-term + ASIA short-term session keys
  • HMAC-SHA256 signing of canonical request
  • ±5 min clock-skew tolerance
  • Constant-time compare to defeat timing attacks

Start free — 10,000 MAU, no credit card.

The free tier covers most indie apps and side projects. Upgrade only when you need more MAU, longer audit retention, or a dedicated tenant.

Get startedView pricing