Authentication Methods

Every method is exposed through a single, consistent API. Configure once, enforce everywhere.

SMS Challenge / Response

Our SMS authentication sends a one-time numeric code to a user's mobile phone. The code is single-use, time-limited (default 5 minutes), and cryptographically random.

• 10DLC compliant via Twilio
• Configurable code length and expiry
• Rate-limited per phone number and IP
• SHAKEN/STIR verified delivery path

SAML 2.0

Full SAML 2.0 Identity Provider. Accepts SAML authentication requests and returns signed assertions containing user attributes mapped from your account store.

• SP-initiated and IdP-initiated SSO
• SAML metadata auto-generation per service provider
• RSA and EC signature support
• Encrypted assertions (AES-256-GCM)

OAuth 2.0 / OpenID Connect

Standards-compliant OAuth 2.0 authorization server with OIDC layer. Issue access tokens, ID tokens, and refresh tokens.

• Authorization Code flow with PKCE
• Client credentials for machine-to-machine
• Device authorization grant (RFC 8628)
• JWT access tokens with configurable claims
• OpenID Connect discovery and userinfo endpoints

WebAuthn / FIDO2

Passwordless authentication using platform authenticators (Touch ID, Windows Hello) and roaming authenticators (YubiKey, SoloKey).

• WebAuthn registration and authentication ceremonies
• Resident key / discoverable credential support
• Attestation validation
• User verification and presence enforcement

TOTP / HOTP

RFC 6238 time-based one-time passwords and RFC 4226 HMAC-based OTP. Drop-in for any authenticator app.

• SHA-1, SHA-256, and SHA-512 algorithm support
• Configurable time step (30s default)
• Provisioning URI format for QR enrollment

Magic Links

Email-based passwordless authentication. Users receive a one-click login link that authenticates them without a password.

• Single-use tokens with configurable TTL
• Signed and tamper-evident links
• Optional IP binding for additional security