Every way to sign in.
One API.
Email/password, social login, magic links, OTP, MFA, passkeys — all from one SDK call. Branded login page at id.authfi.app. Free for 5,000 users.
Six ways to authenticate. Zero auth code.
Enable any method from the dashboard. Your app receives the same JWT regardless of how the user signed in.
Email / Password
Classic login with configurable password rules, breach detection against 700M+ compromised passwords, progressive lockout after failed attempts.
Social Login
Google, GitHub, GitLab — one click. User profile synced from provider. JIT account creation. No registration form needed.
Magic Links
Passwordless email login. 15-minute single-use tokens. Email verified automatically. One click, signed in.
OTP (Email)
6-digit code via email. 5-minute expiry, 5 attempts max. No SMS vendor costs. Works globally.
MFA (TOTP)
Google Authenticator, Authy, 1Password. QR code enrollment. 10 backup codes. Enforce per tenant, per org, or per route.
Passkeys
WebAuthn / FIDO2 passwordless. Biometric or hardware key. Phishing-resistant. The future of authentication.
How it works
Five steps from unauthenticated to authorized. All handled by AuthFI.
User visits your app
SDK detects no session. Redirects to your branded login page.
→ no session detected
→ redirect to id.authfi.app/login?tenant=acme
User chooses auth method
Email/password, social login, magic link, OTP — whatever you've enabled.
[ Sign in with Google ]
[ Sign in with GitHub ]
─── or ───
Email: alice@acme.com
Password: •••••••• Send magic link instead?
Identity verified
Password validated, OAuth completed, OTP confirmed, or MFA passed.
✓ MFA verified (TOTP code accepted)
✓ Session created
→ authorization_code generated
JWT issued
Token carries identity + roles + permissions + groups. One token drives everything.
{ sub: "user-uuid", email: "alice@acme.com",
roles: ["admin"], permissions: ["read:users"],
groups: ["engineering"], mfa_verified: true }
Access granted
User redirected back to your app with a valid session. Done.
Security built-in. Not bolted on.
Every authentication method includes production-grade security by default. You don't configure these. They just work.
Breached password detection
Every password checked against 700M+ compromised passwords (k-anonymity model — plaintext never leaves the browser).
Brute force protection
Progressive lockout: 5 failures → 1 min wait, 10 → 5 min, 15 → 30 min. Per-IP and per-account tracking.
Rate limiting
Per-tenant and per-endpoint rate limits. Prevents credential stuffing, enumeration, and abuse.
PKCE (S256)
Proof Key for Code Exchange protects SPAs and mobile apps from authorization code interception.
Refresh token rotation
Every refresh issues a new token. Reuse detection invalidates the entire token family.
Per-tenant RSA keys
Each tenant gets its own RSA-2048 keypair. JWTs are signed per-tenant. Key rotation via JWKS endpoint.
Your brand. Our login page.
The login page at id.authfi.app is fully white-labeled. Your logo, colors, domain. Users never see AuthFI branding.
Upload your logo. Shows on login, registration, emails.
Primary color, background, text. Full control.
auth.yourdomain.com with your SSL cert.
Three lines. Auth is done forever.
Install the SDK, protect your routes, call start. Permissions auto-sync. Login page is hosted and branded. You write zero auth code.
app.get('/api/users',
auth.require('read:users'),
handler
);
auth.start();
Tenant: "acme",
})
r.With(auth.Require("read:users")).
Get("/api/users", handler)
@app.route('/api/users')
@auth.require('read:users')
def get_users():
return jsonify(users)
What's in the JWT
Every token carries identity + authorization. Your app never makes a second call to check permissions.
"sub": "user-uuid",
"email": "alice@acme.com",
"email_verified": true,
"name": "Alice Chen",
"tenant_id": "tenant-uuid",
"org_id": "org-uuid",// if org context
"roles": ["admin", "editor"],
"permissions": ["read:users", "write:articles"],
"groups": ["engineering", "devops"],
"mfa_verified": true,
"azp": "your-client-id",
"iss": "https://acme.authfi.app"
}
Same token drives app access, AuthFI Connect, eBPF policies, and network rules. One identity everywhere.
AuthFI vs. the alternatives
Authentication is just the beginning. AuthFI gives you auth + authorization + infrastructure access in one platform.
| AuthFI |  Auth0 |  Firebase Auth |  Supabase Auth | |
|---|---|---|---|---|
| Free tier users | 5,000 | 7,500 | 50K (then pay) | 50K (then pay) |
| Social login | Included | Included | Included | Included |
| MFA (TOTP) | All plans | Paid only | Phone only | All plans |
| Magic links | All plans | All plans | Email link | All plans |
| Roles & permissions | Built-in RBAC | Paid add-on | Custom claims | Postgres RLS |
| SSO (SAML/OIDC) | $29/mo+ | $150/connection | GCP IAM only | Pro plan |
| SCIM provisioning | Built-in | Enterprise only | — | — |
| Breached password check | All plans | Enterprise only | — | — |
| eBPF enforcement | Built-in | — | — | — |
| AuthFI Connect (GCP/AWS/Azure) | Built-in | — | — | — |
| White-label login page | All plans | Paid plan | Limited | — |
| Self-hosted option | Enterprise | No | No | Yes |
Built on standards
Full OAuth 2.0 + OpenID Connect. Not a proprietary protocol. Works with any client library.
Token Endpoints
- POST /token — authorization_code, refresh_token, client_credentials
- POST /token/revoke — RFC 7009
- POST /token/introspect — RFC 7662
- GET /userinfo — OpenID Connect
- GET /.well-known/openid-configuration
- GET /.well-known/jwks.json
Grant Types
- ✓ Authorization Code + PKCE (SPAs, mobile)
- ✓ Client Credentials (service-to-service)
- ✓ Refresh Token (with rotation + family detection)
- ✓ Consent screen for third-party apps
- ✓ ID Token (OpenID Connect)
- ✓ Nonce support for replay protection
Free forever for 5,000 users
Social login, MFA, magic links, roles & permissions, 7 SDKs, webhooks. No credit card.
Start free →Related features
Available on Free and above. See pricing →
One platform. Every identity layer.
Free to start.
Free for 5,000 users. Upgrade when you're ready.
Start building free →