Features

Everything you need for identity infrastructure

A complete authentication platform. Spec-compliant protocols, real multi-tenancy, hardened security, and a developer experience that respects your time.

Authentication & protocols

Standards-based auth that drops into any client.

OAuth 2.0 & OpenID Connect

Authorization Code with PKCE, Client Credentials, token rotation, introspection, revocation and OIDC Discovery. Spec-compliant, so any OIDC client library works out of the box.

Passwordless login

Magic-link and Email OTP login with 15-minute one-time tokens and same-device binding. User-enumeration safe. Workspaces can go fully passwordless.

Multi-factor auth

TOTP-based MFA with replay detection and lockout protection. Enforced per workspace and preserved across every passwordless flow.

Multi-tenancy & access

One instance, many products, fully isolated.

Isolated workspaces

Separate user directories, per-tenant RS256 key pairs with admin-initiated rotation, slug-routed APIs and independent security policies.

RBAC & groups

Roles with composite inheritance, group membership and client default roles. Fine-grained access control with no external services to run.

Custom JWT claims

Project user attributes into tokens with claim mappers. Shape the exact JWT each application receives, with no code required.

Hardened by default

Security & compliance

The controls auditors ask about, built in from day one.

Encrypted at rest

Secrets sealed with AES-256-GCM. Backups derive keys with PBKDF2 at 600k iterations before encryption.

Breached password checks

HIBP k-anonymity blocks known-compromised passwords at registration and reset, without leaking the password.

Account protection

Account lockout, refresh-token replay detection with family revocation, and silent SSO with prompt=none.

Immutable audit trail

65+ event types in an append-only log. Query by actor, action or time from the API or your AI assistant.

Developer experience

A consistent surface that rewards reading the docs once.

One consistent REST API

The same shape across every resource, with scoped API keys per workspace and RFC-compliant errors. Keys read as Bearer kauth_{slug}_{key}.

OpenAPI & built-in CLI

Bundled Swagger UI and five built-in CLI tools. Everything is documented and everything is scriptable.

Workspace-routed endpoints

Predictable routing at /t/{slug}/api/v1. One instance serves every tenant with no ambiguity about who you are talking to.

Deployment & operations

Boring to run, which is exactly what you want from auth.

Docker-native

A ~120 MB image on GHCR. Runs non-root as UID 10001, read-only filesystem, no-new-privileges. One-command quickstart and Flyway auto-migrations handle the rest. Fully air-gapped capable.

Backup & restore

Portable, encrypted tenant snapshots via CLI or admin API, with schema-version validation on import.

Scale-out ready

Redis-backed distributed sessions and bring-your-own database support for production deployments.

See it all running live

Explore a seeded instance, or deploy your own in under a minute.