Drop-in authentication with JWT rotation, RBAC, email verification, audit logs, and a full tenant dashboard. Ship auth in minutes, not weeks.
POST /api/v1/auth/register
{
"clientId": "your-app-client-id",
"email": "user@example.com",
"password": "SecurePass1!",
"name": "Jane Doe"
}
// Response
{
"success": true,
"data": {
"user": { "id": "usr_...", "roles": ["user"] },
"tokens": { "accessToken": "eyJ...", "expiresIn": 900 }
}
}Production-grade, not toy examples.
Rotating refresh tokens with reuse detection. Compromised tokens nuke the entire session family.
One platform, unlimited apps. Each tenant owns isolated apps with their own users, roles, and audit logs.
Per-app roles with a full permissions catalog. Owner, admin, user — or define your own custom roles.
Branded verification and password reset emails via Brevo SMTP. Tokens hashed at rest, 1-hour expiry.
Every auth event logged — logins, registrations, role changes, token reuse. Filterable per app.
5 consecutive failed logins trigger a 15-minute lockout per email+app. Separate from IP rate limiting — both apply simultaneously.
View and revoke individual user sessions from the dashboard. All sessions invalidated on password reset or token reuse detection.
Full security header suite: HSTS, CSP, X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy on every response.
Create a tenant account, spin up an app, and get your clientId in under 2 minutes.