TILLAUTH · OVERVIEW
Sign in. Stay signed in. Stay you.
TillAuth is auth-as-a-service for the end-users of your applications. Customer-app users sign up, sign in, enroll MFA, register passkeys — and your server gets verifiable JWTs in return. Argon2id at OWASP parameters, EdDSA signing, refresh-token rotation with theft detection. No paywalled MFA, no enterprise upsell to unlock SSO.
The data model
TillAuth has four primary objects:
- Apps — one per customer-application. Each app has its own OAuth client IDs, branding, hosted-login slug, and encryption key.
- Users — end-users of an app. Email is unique within an app.
- Sessions — refresh tokens with rotation + theft detection.
- Identities — links to OAuth/OIDC providers (Google, GitHub, etc.).
The flows
Every common auth flow, on every plan, on day one.
- Email + password — Argon2id, peppered, progressive lockout after repeated failed attempts.
- Passkeys — WebAuthn primary and 2FA, with counter-regression theft detection.
- TOTP + backup codes — first-class, not an upsell.
- Magic links — IP-prefix bound, redirect allow-list checked.
- OAuth · Google + GitHub — per-app client IDs, app-DEK-encrypted secrets.
- OIDC SSO — JWKS-verified id_token, optional allowed-domain gate.
Get started
Five lines of React. Open the quickstart →
Operate
- Webhooks — HMAC-signed delivery, exponential-backoff retries, replay view.
- Audit log — append-only, stable action vocabulary, 365-day retention.
- DEK rotation — re-encrypt every per-app secret in one transaction.
- Custom domains —
auth.your-domain.comon customer DNS.
SDKs
@tilldev/auth-react— provider + hooks for SPAs and Next.js apps.@tilldev/auth-node— JWT verifier, Express middleware, cookie-proxy.