App auth & security
Multi-provider auth (Apple, Google, email, magic link, passkeys). Fine-grained RBAC, end-to-end encryption, automated GDPR compliance, pre-deploy AI security audit. Optional manual pentest.
The context
The Verizon DBIR 2025 report is unequivocal: 81% of intrusions exploit a weak, reused or phished password. On the GDPR side, the CNIL has multiplied its sanctions by 4 since 2023 — €290M in fines in 2024 for auth flaws, missing user exports or incomplete purges. Yesterday's bare minimum became today's danger zone.
The trap is that a hand-rolled auth stack with bcrypt and homemade JWTs gives an illusion of security. The reality: no key rotation, no rate-limit, no credential stuffing detection, no audit log, no GDPR export ready to serve. The day a regulator knocks or a user invokes their right to be forgotten, it's three weeks of panic and a risk of 4% of revenue.
Our conviction: auth and security aren't a feature, they're the invisible infrastructure that holds everything else up. Passkeys instead of passwords. Argon2id instead of bcrypt. libsodium instead of patched-together crypto.subtle. Claude Fable 5 AI audit before every release, forensic-ready audit log, and a GDPR mode that works in one click from the user profile.
WebAuthn + Sign in with Apple / Google. No more passwords to leak, device biometrics.
Roles + custom permissions. Policies evaluated server-side, not just in the UI.
AES-256-GCM via libsodium, automated key rotation, secrets in KMS (never in repo).
Full JSON export, one-click cascaded deletion, processing register auto-generated.
What we build
From the B2C SaaS that wants to go passkey-first to the medical app that has to pass an ISO audit, we tune architecture but never rigour. The profiles we ship most.
Passwordless, zero friction.
For consumer apps that want 3-second onboarding. Sign in with Apple/Google, magic-link email, passkeys as progressive opt-in. Secure sessions, rotating refresh tokens, IP + email rate-limit, device fingerprinting.
SAML, OIDC, SCIM for enterprise.
For SaaS targeting enterprise customers. Plug-and-play SAML 2.0 and OIDC SSO (Okta, Azure AD, Google Workspace), automated SCIM provisioning, multi-tenant RBAC, SIEM-exportable audit log. SOC2-ready.
Articles 17 and 20 in one click.
The GDPR module we install everywhere. Full user JSON export (article 20), clean cascaded deletion (article 17), granular consent with evidence, auto-generated processing register, CNIL 2024-compliant cookie banner.
Claude Fable 5 before every release.
Our signature practice: before every deploy, Claude Fable 5 (AI cybersecurity) audits the code, routes, RBAC policies, DB queries and attack surfaces. Paired with OWASP ZAP in CI and Snyk for dependencies. Actionable report, not a 300-page PDF.
For really sensitive data.
Health, legal, finance apps. AES-256-GCM via libsodium, per-user keys derived from Argon2id, KMS for master keys (AWS KMS / GCP KMS / Vault), automated quarterly rotation. The server can't read the data — zero-knowledge by architecture.
The human after the AI.
On critical apps we complement the AI audit with a manual pentest by a PASSI-certified partner. Grey-box test over 5-10 days, CVSS report, accompanied remediation plan. Bonus: launch of a private bug bounty programme on YesWeHack or HackerOne.
Our approach
We follow a proven cadence: threat model, stack pick, implementation, AI then human audit, run. Kickoff 1-2 weeks after signing.
Half-day workshop: who are the likely attackers, which data is sensitive, which attack surfaces (web, mobile, API, admin). STRIDE mapping, data classification by level (public, internal, confidential, secret).
Provider selection (Auth0, Clerk, Firebase Auth, self-hosted Lucia by context). Fine RBAC modelling (roles, permissions, resources, conditions). Session, refresh token and revocation list design. Password + passkey policy.
Flow implementation: signup, multi-provider login, MFA, passkeys, magic link, reset, account deletion, GDPR export. RBAC middleware on every route. Forensic-ready audit logs. Sensitive-field encryption with libsodium.
Claude Fable 5 AI audit on the full diff. OWASP ZAP scan in CI on the pre-prod environment. Snyk on deps and lockfile. Critical flow testing (privilege escalation, IDOR, SSRF, injection). P0/P1/P2 report.
If critical: manual pentest via PASSI partner firm. Otherwise: straight to run. Auth monitoring (Datadog / Grafana), alerts on credential stuffing spikes, centralised audit log, incident-response doc delivered.
Tech stack
We don't reinvent crypto primitives. When a serious player does the job (Auth0, Clerk, libsodium), we use it. Our defaults, adjustable to context.
Managed auth
Auth0 · Clerk · Firebase Auth · Supabase Auth
Clerk for modern Next.js/React apps (premium DX). Auth0 for B2B with complex SSO. Firebase Auth when you're already in the Google stack. Supabase Auth if you want low-cost + Postgres.
Self-hosted auth
Lucia · Ory Kratos · NextAuth/Auth.js · BetterAuth
Lucia for full control in TypeScript. Ory Kratos when you want open-source enterprise. NextAuth for Next.js apps that stay simple. BetterAuth as a modern 2026 alternative.
Hash & crypto
Argon2id · libsodium · BoringSSL · age
Argon2id for passwords (never bcrypt). libsodium for all application crypto. BoringSSL for Go/Rust builds. age for file encryption (ed25519 keys).
Passkeys & WebAuthn
SimpleWebAuthn · passkeys.dev · Hanko
SimpleWebAuthn as the server reference library. passkeys.dev for UX patterns. Hanko when you want managed passkey-first turnkey.
Audit & scan
Claude Fable 5 · OWASP ZAP · Snyk · Semgrep · Trivy
Claude Fable 5 on the release diff (AI sees what humans miss). OWASP ZAP in CI for active scans. Snyk for dep CVEs. Semgrep for custom patterns. Trivy for Docker images.
Anti-abuse & WAF
Cloudflare Turnstile · Cloudflare WAF · Arcjet · Redis rate-limit
Turnstile instead of captchas (zero-friction UX). Cloudflare WAF for the network layer. Arcjet for modern app-layer protections (rate-limit, bot detection, signup spam). Redis for custom sliding windows.
Measurable guarantees
0
Plain-text passwords stored
Argon2id everywhere, secrets in KMS, never credentials in the repo or logs. Validated by AI audit + Snyk scan before every release.
GDPR
Articles 17 & 20 compliance
Full user JSON export, clean cascaded deletion (no disguised soft-delete), generated processing register, CNIL 2024-compliant cookie banner.
P0
Zero critical vuln in production
Claude Fable 5 + OWASP ZAP + Snyk blocking in CI. No release ships with an unresolved P0 finding, contractually.
24h
Security incident SLA
Patch within 24 business hours for any critical vuln reported by you, a user or a researcher. Incident-response runbook delivered, CNIL communication accompanied if breach.
Preise
Statt abstrakter Pakete passen wir uns deinem Kontext an: Umfang, Komplexität, Fristen, Einschränkungen. Schreib uns in 3 Sätzen, was du tun möchtest — wir kommen mit einem festen Angebot innerhalb von 48 Werkstunden zurück.
Antwort innerhalb von 48 Werkstunden Angebot anfordern →Deine E-Mail ist bereit 🚀
Wir haben dein Mail-Programm mit allem vorausgefüllt geöffnet. Klick auf Senden, das Team antwortet binnen 24 Geschäftsstunden.
