Security at every layer
AuthMe implements defense-in-depth security — from password hashing with Argon2id to encrypted webhooks with AES-256-GCM. Every decision follows NIST and OWASP best practices.
Authentication Protocols
OAuth 2.0 + PKCE
RFC 7636 Proof Key for Code Exchange on all public clients
OpenID Connect 1.0
ID tokens, UserInfo, Discovery, Backchannel Logout
SAML 2.0
IdP and SP modes with signed assertions and encrypted attributes
Device Authorization
RFC 8628 for input-constrained devices (smart TVs, CLI tools)
Credential Security
Argon2id Hashing
NIST-recommended password hashing — resistant to GPU and ASIC attacks
Password Policies
Configurable complexity, history, expiration, and minimum length
WebAuthn / FIDO2
Passwordless with hardware keys and biometrics (Face ID, fingerprint)
TOTP + Recovery Codes
Time-based OTP with Google Authenticator, plus backup recovery codes
Token Security
RS256 JWT Signing
RSA-based signing with automatic key rotation via JWKS endpoint
JWE Token Encryption
Optional encryption for sensitive claims in access and ID tokens
Short-Lived Tokens
Configurable expiration with secure refresh token rotation
Token Revocation
Revoke individual tokens or all sessions for a user
Infrastructure Protection
Helmet.js Headers
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and more
Rate Limiting
Global + per-realm + per-user + per-IP configurable throttling
CORS Validation
Dynamic CORS from database — only allowed origins can make requests
TLS / HTTPS
Full HTTPS enforcement in production with secure cookie flags
Access Control
Role-Based Access Control
Realm-level and client-level roles with group inheritance
Step-Up Authentication
Require stronger auth (ACR levels) for sensitive operations
Brute Force Protection
Automatic account lockout after N failed attempts (configurable)
Session Management
Max sessions per user, forced logout, and session timeouts
Compliance & Audit
Login Event Logging
Every login attempt logged with IP, user agent, geo, and outcome
Admin Action Audit Trail
Who changed what, when, with full diff for configuration changes
Impersonation Tracking
Admin impersonation logged with both admin and target user details
Webhook Encryption
AES-256-GCM encrypted secrets for webhook payload signing
Built on open standards
AuthMe follows established security standards and specifications — no proprietary lock-in.
OWASP Top 10
Addresses all OWASP authentication and session management risks
NIST 800-63
Follows NIST Digital Identity Guidelines for authentication assurance
RFC 6749/6750
Full OAuth 2.0 specification compliance with bearer tokens
RFC 7636
PKCE mandatory for all public client flows
OpenID Connect Core
Certified OIDC flows with discovery and session management
OASIS SAML 2.0
Standard-compliant SAML assertions and metadata exchange
Ready to secure your stack?
Deploy AuthMe in 30 seconds and get enterprise-grade security for free.