⚷ Auth
End-user auth
Email, OAuth, Passkeys.
Email login + magic link, Sign in with Apple/Google/GitHub, Passkeys (WebAuthn). No password to hash manually. Smooth onboarding, solid password reset, RFC 5321 email verification.
⚷Identity & access
Who can do what. Validated. Logged. Without friction.
SSO architecture (OIDC, SAML), OAuth 2.1, MFA, fine-grained role and permission management (RBAC, ABAC), immutable audit logs. From SMB to enterprise multi-tenant.
- SSO OIDC · SAML 2.0 · OAuth 2.1
- MFA · TOTP · WebAuthn · Passkeys
- RBAC · ABAC · ReBAC (OpenFGA)
- Audit logs · session management
The context
61% of breaches start with a compromised identity.
In 2026, identity is the new perimeter. No more well-defined network boundary, no more « VPN = secure ». Everything is exposed: SaaS, APIs, mobile. The question is no longer « where is the attacker » but « with which identity is he acting ». According to Verizon DBIR 2025, 61% of breaches use stolen or weak credentials.
Yet many products still have: no mandatory MFA, sessions that last for months, « admin by default » permissions, poor or absent audit logs. When an account is compromised, we don't even know what was done. And for B2B SaaS, the absence of enterprise SSO (OIDC, SAML) blocks sales above €50k/year.
Our approach: modern identity architecture from day one. Multi-protocol SSO, MFA WebAuthn/Passkeys (not SMS), short session with refresh tokens, fine-grained permissions (RBAC or ReBAC depending on complexity), immutable audit. SOC 2 and ISO 27001 compliant — without overkill.
0
Password stored
Passkeys + OAuth + magic links — no more bcrypt hashes to manage
< 200ms
Auth latency
p99 on JWT token verification, measured in production
100%
Traceable audit
Each authenticated action logged with actor, target, timestamp
SOC 2
Compliance ready
Architecture mapped to CC6.1, CC6.2, CC6.3, CC6.6 controls
What we build
Six identity & access axes.
From end-user authentication to machine-to-machine APIs, we cover the full identity stack.
⚷ SSO
Enterprise SSO (OIDC/SAML)
Unlock your B2B sales.
OIDC, SAML 2.0, SCIM provisioning. Compatible with Okta, Microsoft Entra ID, Google Workspace, OneLogin, Ping. Just-in-time provisioning, attribute-based group mapping. Essential above €50k/year contracts.
⚷ MFA
MFA & second factor
WebAuthn first, TOTP as backup.
WebAuthn (Touch ID, Face ID, YubiKey) by default. TOTP (Google Authenticator, 1Password) as fallback. SMS only if impossible otherwise. Backup codes generated. Rate limiting anti brute-force.
⚷ Permissions
RBAC / ABAC / ReBAC
Who can do what on what.
Simple RBAC for most cases. ABAC when permissions depend on attribute (role + department). ReBAC (OpenFGA, SpiceDB) for Google-Docs-style sharing per resource. Progressive migration possible.
⚷ Sessions
Sessions & tokens
JWT, refresh, revocation.
Short access token (15 min), long refresh token (7-30 d) with rotation. HttpOnly cookie storage + Secure + SameSite. Real-time revocation via Redis blocklist. Device fingerprinting to detect session hijacking.
⚷ Audit
Audit & forensics
To answer « who did that? ».
Immutable audit log (append-only) on every sensitive action. Kept 1-7 years depending on compliance. Indexable by actor, target, action, timestamp. SIEM integration (Splunk, Datadog). Essential for SOC 2 CC6.6.
Our approach
Four steps, from diagnostic to monitoring.
We start by mapping existing identities and actual auth flows — often a historical mix of hacks.
01 ⚷
Discovery & audit (3-5 d)
Inventory of auth systems in place (local DB, OAuth, etc.), permissions, active sessions. Analysis of actual flows: who connects to what, from where. Identification of debts (infinite sessions, optional MFA, excessive permissions).
✓ Identity mapping + prioritised debts list
02 ⚷
Target architecture (1 wk)
Provider selection (Auth0, Clerk, Keycloak, Cognito, or in-house). Users/roles/permissions schema. Session strategy (duration, rotation, storage). MFA policy (forced? optional? role-based?). Zero-downtime migration plan for existing accounts.
✓ Architecture ADR + diagram + migration plan
03 ⚷
Implementation (2-4 wks)
Implementation of the new system. SSO OIDC/SAML for B2B clients. Mandatory WebAuthn MFA (or progressive). RBAC or ReBAC depending on scope. Existing user migration in batches. Integration tests on every critical flow.
✓ Deployed system + migration finalised + tests
04 ⚷
Audit & monitoring (1 wk)
Audit logs wired (Datadog, Splunk). Security dashboards (suspicious logins, abnormal geoloc, brute-force). Slack/PagerDuty alerting. Operational docs for L1 support. IAM incident runbook.
✓ Dashboards + alerting + runbook + support docs
Tech stack
The providers and libs we use.
No NIH syndrome — unless explicit case, we rely on mature providers.
Managed auth providers
Auth0 · Clerk · Stytch · WorkOS · Cognito
Clerk for startups (excellent DX, fair pricing). Auth0 if enterprise compliance already in place. WorkOS for B2B SSO only. Stytch for premium passwordless flows.
Open-source self-hosted
Keycloak · Authentik · Ory Kratos · SuperTokens
Keycloak for large orgs with strong compliance. Authentik more modern and lightweight. Ory Kratos modular. SuperTokens for simple self-hosted needs.
OAuth & token libs
Auth.js (NextAuth) · oauth4webapi · jose · oslo
Auth.js in Next/Astro for simplicity. oauth4webapi for strict custom implementations (RFC). jose for JWT manipulation. oslo for crypto primitives.
Permissions (RBAC/ReBAC)
OpenFGA · SpiceDB · Cerbos · Oso
OpenFGA (Auth0) for standard ReBAC. SpiceDB (Authzed) Google Zanzibar. Cerbos for policies as code. Oso if embedded in app.
MFA & WebAuthn
SimpleWebAuthn · @simplewebauthn/server · Authy · Twilio Verify
SimpleWebAuthn for WebAuthn server-side (TS). Authy/Twilio Verify for managed TOTP. Yubico developer lib for HSM.
Audit & SIEM
Datadog · Splunk · Loki · Elastic · Sumo Logic
Datadog if already in place for APM. Splunk in large enterprise. Loki + Grafana for low-cost self-hosted. Elastic if expertise already there.
Measurable guarantees
Four contractual commitments.
0
Migration downtime
Progressive migration of existing accounts, no service interruption. Old flows keep working while new ones are activated.
SOC 2 / ISO 27001
Architecture mapped
Architecture documented and aligned to CC6 (logical access) controls. Ready for external audit.
100%
Traceable audit
Every sensitive action (login, permission change, data access) logged with actor, action, target, IP, timestamp.
WCAG AA
Accessible auth
All auth flows (login, MFA, recovery) tested for accessibility — keyboard, screen reader, contrast.
Tarifas
Cada projeto é único. O orçamento também.
Em vez de pacotes abstratos, adaptamos ao teu contexto: âmbito, complexidade, prazos, restrições. Escreve-nos em 3 frases o que queres fazer — devolvemos um orçamento firme em 48 h úteis.
Resposta em 48 h úteis Pedir orçamento →