Everything you need for identity infrastructure
A complete authentication platform. Spec-compliant protocols, real multi-tenancy, hardened security, and a developer experience that respects your time.
Authentication & protocols
Standards-based auth that drops into any client.
OAuth 2.0 & OpenID Connect
Authorization Code with PKCE, Client Credentials, token rotation, introspection, revocation and OIDC Discovery. Spec-compliant, so any OIDC client library works out of the box.
Passwordless login
Magic-link and Email OTP login with 15-minute one-time tokens and same-device binding. User-enumeration safe. Workspaces can go fully passwordless.
Multi-factor auth
TOTP-based MFA with replay detection and lockout protection. Enforced per workspace and preserved across every passwordless flow.
Multi-tenancy & access
One instance, many products, fully isolated.
Isolated workspaces
Separate user directories, per-tenant RS256 key pairs with admin-initiated rotation, slug-routed APIs and independent security policies.
RBAC & groups
Roles with composite inheritance, group membership and client default roles. Fine-grained access control with no external services to run.
Custom JWT claims
Project user attributes into tokens with claim mappers. Shape the exact JWT each application receives, with no code required.
Security & compliance
The controls auditors ask about, built in from day one.
Encrypted at rest
Secrets sealed with AES-256-GCM. Backups derive keys with PBKDF2 at 600k iterations before encryption.
Breached password checks
HIBP k-anonymity blocks known-compromised passwords at registration and reset, without leaking the password.
Account protection
Account lockout, refresh-token replay detection with family revocation, and silent SSO with prompt=none.
Immutable audit trail
65+ event types in an append-only log. Query by actor, action or time from the API or your AI assistant.
Developer experience
A consistent surface that rewards reading the docs once.
One consistent REST API
The same shape across every resource, with scoped API keys per workspace and RFC-compliant errors. Keys read as Bearer kauth_{slug}_{key}.
OpenAPI & built-in CLI
Bundled Swagger UI and five built-in CLI tools. Everything is documented and everything is scriptable.
Workspace-routed endpoints
Predictable routing at /t/{slug}/api/v1. One instance serves every tenant with no ambiguity about who you are talking to.
Deployment & operations
Boring to run, which is exactly what you want from auth.
Docker-native
A ~120 MB image on GHCR. Runs non-root as UID 10001, read-only filesystem, no-new-privileges. One-command quickstart and Flyway auto-migrations handle the rest. Fully air-gapped capable.
Backup & restore
Portable, encrypted tenant snapshots via CLI or admin API, with schema-version validation on import.
Scale-out ready
Redis-backed distributed sessions and bring-your-own database support for production deployments.
See it all running live
Explore a seeded instance, or deploy your own in under a minute.