Built for developers.
Trusted by enterprises.

Every feature you need to ship auth — from a weekend project to a Fortune 500 deployment.

Authentication
Every way to sign in.

Email/password, social login, magic links, enterprise SSO. One API handles all of it. Your users pick how they want to authenticate.

  • Email & password with password policy
  • Google, GitHub, GitLab social login
  • Magic links (passwordless email)
  • TOTP MFA with backup codes
  • OAuth 2.0 + PKCE for SPAs
  • Refresh token rotation
// Your users sign in. You get a JWT. const res = await fetch('/v1/acme/auth/login', { method: 'POST', body: JSON.stringify({ email: 'user@example.com', password: '...' }) }); const { access_token } = await res.json(); // JWT contains: roles, permissions, org context
Enterprise SSO
Your customer says
"we use Okta." You say "done."

SAML, OIDC, LDAP — configured in your dashboard, not in code. Domain-based routing automatically sends users to the right identity provider.

🔐

SAML 2.0

Full SP metadata generation. IdP-initiated and SP-initiated flows. Signature verification.

🔑

OIDC Federation

Auto-discovery via .well-known. Code exchange with PKCE. UserInfo endpoint.

📁

LDAP / AD

Bind authentication against Active Directory or OpenLDAP. TLS support.

🔵 Google ☁️ Azure AD 🅾️ Okta 🦊 GitLab 🔄 SCIM 2.0
// Define permissions in your code app.get('/api/users', auth.require('read:users'), handler ); app.delete('/api/users/:id', auth.require('delete:users'), handler ); // SDK auto-registers permissions on startup // Assign them to roles in the dashboard
Authorization
Roles & permissions that sync from your code.

Annotate your routes. The SDK discovers permissions automatically and registers them with AuthFI. Assign permissions to roles in the dashboard. JWTs include everything.

  • Auto-sync permissions from code
  • Application-scoped permissions
  • Roles & permissions in every JWT
  • Authorization check API
Branding
Your brand. Your login page.

Colors, fonts, layout, logo, custom domain, custom CSS. Your users never know AuthFI exists.

Colors

Primary, background, text — full palette control.

Fonts

Inter, Roboto, Poppins, DM Sans, or system.

Layout

Centered, split panel, or left-aligned.

Domain

auth.yourapp.com with auto SSL.

Developer Experience
SDKs, webhooks, APIs.

Everything you need to integrate, extend, and automate.

7 SDKs

Node.js, Python, Go, Java, PHP, C#, Ruby. JWT validation + permission checks built in.

Webhooks

HMAC-signed events for login, signup, password reset, MFA enrollment. Full delivery log.

Management API

Full REST API with API key auth. CRUD users, roles, apps, connections, everything.

OIDC Discovery

Standard .well-known/openid-configuration + JWKS endpoints for every tenant.

SCIM 2.0

Automated user provisioning from Okta, Azure AD, or any SCIM-compatible IdP.

Environments

Isolated dev, staging, production — each with their own keys, users, and config.

Zero-Code Access
Auth at the kernel level. No code changes.

Deploy one agent. It discovers your services automatically, hooks into the Linux kernel via eBPF, and validates JWTs on every request. Admin panels, APIs, dashboards — all protected without touching a single line of application code.

  • eBPF kernel-level interception (~1µs)
  • Auto-discovers services (K8s + VMs)
  • Per-route policies (method + path + role)
  • Monitor mode or enforce mode
  • Every decision logged for audit
  • API auto-discovery for policy suggestions
# Deploy. Discover. Protect. Done. $ docker run --privileged --net=host \ -e AUTHFI_TENANT=acme \ -e AUTHFI_AGENT_TOKEN=secret \ authfi/access-agent Agent installed Discovered 6 services eBPF hooks attached Protected: api:8080 Protected: admin:3000 Protected: grafana:3001 # Kernel-level auth. Zero code changes.
// Access AWS without static keys const creds = await fetch('/cloud/credentials', { method: 'POST', headers: { Authorization: `Bearer ${token}`, 'X-Client-ID': 'app-id', 'X-Client-Secret': '...' }, body: JSON.stringify({ provider: 'aws', role_arn: 'arn:aws:iam::...', ttl: 900 }) }); // Returns short-lived STS credentials
Cloud Identity
Access any cloud. No static keys.

OIDC federation to AWS, GCP, and Azure. AuthFI issues short-lived tokens trusted by cloud IAM. Your users and services access cloud resources with their AuthFI identity — no API keys in environment variables. Ever.

  • AWS STS AssumeRoleWithWebIdentity
  • GCP Workload Identity Federation
  • Azure AD token exchange
  • 15-minute TTL, auto-rotated
  • Per-app IAM scoping via azp claim
Industry Modules
One platform.
Every industry.

AuthFI core handles auth for any SaaS app. Industry modules add compliance-specific scopes, token claims, and discovery endpoints — activated per tenant, no code changes.

🏥

Healthcare

SMART on FHIR v2.2 scope engine. Patient/encounter launch context. fhirUser claim injection. .well-known/smart-configuration. HIPAA-ready audit retention.

SMART on FHIR HIPAA EHR Launch
🏦

Fintech

PSD2 Strong Customer Authentication. Transaction signing scopes. KYC verification hooks. PCI-DSS audit controls. Risk-based step-up authentication.

PSD2/SCA PCI-DSS KYC
🎓

Education

LTI integration for LMS platforms. FERPA-compliant access controls. Student/guardian consent model. SIS directory sync. Grade-level scoping.

LTI FERPA SIS Sync

Modules activate per tenant via the management API. Your SaaS serves healthcare, fintech, and education customers — from one deployment.

Infrastructure
Runs on Google Cloud. Scales to zero.

Cloud Run for compute. Cloud SQL for data. Cloudflare for edge. Scales down to $0 when idle, scales up to handle millions of auth requests.

Cloud Run

Auto-scaling containers. Pay only for requests. Scale to zero.

Cloud SQL

Managed PostgreSQL with automatic backups and regional replicas.

Cloudflare

Global CDN, DDoS protection, custom domain SSL provisioning.

Regions

India, US, EU, Australia. Data residency per tenant.

Start building in 5 minutes.

Free forever. No credit card required.

Get started free →