Concepts

Passwordless auth methods

Authio never persists a password. Here are the methods we ship instead.

Passkeys (the default)

WebAuthn/FIDO2 platform authenticators (Touch ID, Face ID, Windows Hello, Android biometrics) and roaming authenticators (YubiKey, Solo). Cross-device passkeys via iCloud Keychain and Google Password Manager work out of the box.

Authio runs the WebAuthn ceremony server-side via auth-core; the SDK calls navigator.credentials.create() and navigator.credentials.get() in the browser. Our React component <SignIn /> wraps both, including conditional UI (the “auto-fill passkey” prompt).

Passkeys are the MFA. We don’t need a separate TOTP layer because the device-bound credential is phishing-resistant and resists credential stuffing.

Magic links

Single-use, IP+UA-bound, 10-minute TTL by default. The token is a 32-byte random; we store the SHA-256 hash and burn it atomically on click. Delivered via email today; SMS lands when Twilio is wired up on your project.

POST /v1/auth/magic-link/send
{
  "destination": "user@example.com",
  "redirect_uri": "https://app.acme.com/dashboard",
  "organization_id": "org_acme"   // optional: auto-select org on click
}

One-time codes

Email or SMS-delivered numeric codes for cross-device flows where magic links don’t fit (e.g. starting on mobile, finishing on desktop).

OAuth / social

Authio bundles Google, Microsoft, Apple, GitHub, Slack, LinkedIn, and GitLab out of the box. Each is a registry entry on the auth-core service; turning on a provider is just an env var of the upstream client credentials.

Enterprise SSO (SAML 2.0 + OIDC)

Per-organization connections. Configure them via the Admin Portal — the WorkOS-style flow where your customer’s IT admin clicks a one-time link, picks their IdP from a list (Okta, Entra, Google Workspace, Ping, OneLogin, JumpCloud, ADFS, Auth0, Keycloak, Rippling, generic SAML/OIDC) and pastes their metadata. No back-and-forth with your dev team.

Account recovery

When a user loses their passkey, Authio supports backup recovery passkeys, recovery email, and B2B admin-approval flows. The exact mix is per-project policy, configurable in the dashboard.

What we never do

  • Store password hashes — the table doesn’t exist.
  • Accept federated identities at face value. Even an OAuth IdP’s email claim is treated as unverified until we receiveemail_verified=true.
  • Store IdP private keys. SAML signing keys live in the customer’s IdP; Authio holds only the public certificate.