All features

Authentication & identity

Four authentication paths plus session and security telemetry.

Local credentials, MFA, passkeys, and Microsoft Entra ID OIDC SSO. Pick one or run them all at once. Every path writes to a security event log, and admins can see and revoke active sessions per device.

9 total 9 shipping

  • Local password authentication

    Shipping

    bcrypt hashing, refresh-token rotation, optional MFA gate.

  • Multi-factor authentication (TOTP)

    Shipping

    TOTP-RFC6238 with AES-256-GCM-encrypted secrets at rest, recovery codes, and rate-limited verification.

  • Passkeys / WebAuthn

    Shipping

    Per-user credential registration with usernameless login support via a server-side ChallengeStore.

  • Microsoft Entra ID (OIDC) SSO

    Shipping

    PKCE flow with a user_auth_identities join table mapping Entra subjects to local users.

  • Session management

    Shipping

    Active sessions tracked with device fingerprinting; users list and remotely log out individual sessions.

  • Security event telemetry

    Shipping

    Logins, MFA changes, password resets, and invitation redemptions are recorded in a security_events ledger for compliance audit trails.

  • Invitation flow

    Shipping

    Admin-issued invites land on a token-gated form with pre-filled email and a guided account-creation flow.

  • Password reset

    Shipping

    Single-use tokens with expiry, surfaced through a dedicated reset endpoint.

  • Onboarding wizard

    Shipping

    Fresh-deploy admin account creation with optional backup restore on first boot.

Next Tickets

Want to see it in action?

Join the waitlist for early access, or browse the rest of the catalogue.

Join waitlist All features