TILLAUTH · TILLDEV

Sign in. Stay signed in.
Stay you.

Passkeys. MFA. OAuth. Hosted login. SSO. All of it on every plan, on day one — because authentication isn't an upsell, it's the bedrock.

LIVE · gatekeeping
argon2id · eddsa · refresh-token rotation
WHAT IT DOES

Three jobs, well.

01
PRIMITIVES

Right by default.

Argon2id at OWASP parameters (m=64MB, t=3, p=4) — peppered, never weakened. EdDSA-signed JWTs with 10-minute access tokens. Refresh-token rotation with theft detection that kills the whole family on replay. The defaults are correct.

02
METHODS

Every way in.

Email + password. Passkeys via WebAuthn (primary, not as a 2FA afterthought). TOTP + backup codes. Magic links with IP-prefix binding. OAuth (Google, GitHub) and generic OIDC. All on the same plan. No premium-MFA paywall.

03
OPERATIONS

You get to look inside.

Append-only audit log with a stable vocabulary. Per-app DEK rotation that re-encrypts secrets in one transaction. Outbound webhooks signed with HMAC-SHA256. Impersonation tokens marked with the admin who minted them, surfaced to your users.

IN PRACTICE

React in five lines.

Wrap your app, call useSignIn, done. The provider auto-refreshes tokens before they expire and catches OAuth redirects via the URL fragment. Cookie-mode is a single config flag away.

React quickstart →
tsx · app.tsx
import { TillAuthProvider, useSignIn } from '@tilldev/auth-react'

<TillAuthProvider appId="tau_pub_…">
  <App />
</TillAuthProvider>

function Login() {
  const { signIn, pending } = useSignIn()
  return <button onClick={() => signIn(email, password)} />
}
WHAT WE DON'T DO

We don't paywall MFA. We don't ask "is this for production?" to unlock 100 users. Auth isn't an enterprise upsell — it's a defaultable primitive.

PART OF TILLDEV

One of four.

You don't have to use the rest. But they fit together — same workspace, same audit log, same shortcut to switch between them. Add what you need when you need it.