TILLAUTH · OVERVIEW

Sign in. Stay signed in. Stay you.

TillAuth is auth-as-a-service for the end-users of your applications. Customer-app users sign up, sign in, enroll MFA, register passkeys — and your server gets verifiable JWTs in return. Argon2id at OWASP parameters, EdDSA signing, refresh-token rotation with theft detection. No paywalled MFA, no enterprise upsell to unlock SSO.

The data model

TillAuth has four primary objects:

  • Apps — one per customer-application. Each app has its own OAuth client IDs, branding, hosted-login slug, and encryption key.
  • Users — end-users of an app. Email is unique within an app.
  • Sessions — refresh tokens with rotation + theft detection.
  • Identities — links to OAuth/OIDC providers (Google, GitHub, etc.).

The flows

Every common auth flow, on every plan, on day one.

Get started

Five lines of React. Open the quickstart →

Operate

  • Webhooks — HMAC-signed delivery, exponential-backoff retries, replay view.
  • Audit log — append-only, stable action vocabulary, 365-day retention.
  • DEK rotation — re-encrypt every per-app secret in one transaction.
  • Custom domainsauth.your-domain.com on customer DNS.

SDKs