Auth Blueprints
Authentication, identity, and session management blueprints.
| Blueprint | Description | Version |
|---|---|---|
| Api Key Management | Create, rotate, revoke, and scope API keys for programmatic access | 1.0.0 |
| Biometric Auth | Palm vein biometric authentication — alternative to password login with enrollment of up to 2 palms per user | 1.0.0 |
| Broker User Access | User access management for back-office systems with screen-level and function-level security, role-based view/update permissions, dual-control verification, and audit trail of access changes | 1.0.0 |
| Cross Signing Verification | Three-key trust hierarchy for verifying devices and users. Master key signs self-signing and user-signing keys. All uploads are cryptographically validated before storage. | 1.0.0 |
| Device Attestation | TPM-backed device identity and per-call signed attestation — terminals prove their identity to the Payments Gateway on every request; rejected devices cannot transact | 1.0.0 |
| Device Management | Track all client sessions as named devices per user account. List, rename, and delete devices with cascading cleanup. Auto-purge devices inactive beyond retention period. | 1.0.0 |
| Disappearing Messages | Per-conversation timer that automatically deletes messages on all participant devices after a configurable duration, with the server assisting by propagating timer changes | 1.0.0 |
| E2e Key Exchange | Manages cryptographic key material for end-to-end encrypted messaging. Handles device key publication, one-time pre-key upload/claiming, and cross-server key queries. | 1.0.0 |
| Email Verification | Verify user email ownership via a one-time token link | 1.0.0 |
| Encrypted Profile Storage | Versioned, client-encrypted profile storage with avatar upload credential issuance and zero-knowledge profile key credential system | 1.0.0 |
| Identity Lookup | Bridge between user contact details (email, phone) and messaging identities via external identity servers. Enables invitations before account creation and contact binding. | 1.0.0 |
| Key Backup Recovery | Securely back up and restore end-to-end encryption session keys. Keys are client-encrypted before upload; server stores only opaque ciphertext with versioned etag tracking. | 1.0.0 |
| Ldap Authentication Sync | Directory service authentication and periodic synchronization that validates credentials against an LDAP/Active Directory server and keeps user profiles and group memberships current with the… | 1.0.0 |
| Login | Authenticate a user with email and password | 1.0.0 |
| Logout | End a user session and clear all authentication tokens | 1.0.0 |
| Magic Link Auth | Passwordless email login via single-use magic links | 1.0.0 |
| Multi Device Linking | Provisioning and management of linked devices on an existing account, allowing a user to register up to a configured maximum of secondary devices that share the account identity | 1.0.0 |
| Multi Factor Auth | Second-factor authentication via TOTP, SMS OTP, or backup codes | 1.0.0 |
| Multi Factor Authentication | TOTP-based second authentication factor using RFC 6238 time-based one-time passwords. Users enroll via QR code and submit 6-digit codes at login to verify possession of the registered… | 2.0.0 |
| Oauth Social Login | Social sign-in via OAuth2/OIDC with account linking and profile sync | 1.0.0 |
| Oauth Sso Providers | Configure OAuth2/SSO identity providers to enable single sign-on login for platform users | 1.0.0 |
| One Time Prekey Replenishment | Client-driven one-time pre-key pool monitoring and replenishment to ensure uninterrupted secure session establishment | 1.0.0 |
| Openid Connect Server | OAuth 2.0 and OpenID Connect identity provider with token issuance | 1.0.0 |
| Password Reset | Allow users to reset their password via email verification | 1.0.0 |
| Payload Auth | Full authentication system with JWT sessions, API keys, account locking, email verification, and custom strategies | 1.0.0 |
| Phone Number Registration | Phone number registration with SMS/voice verification sessions, push challenge, and captcha gating before account creation | 1.0.0 |
| Private Contact Discovery | Issue short-lived HMAC-derived credentials that authenticate clients with an external privacy-preserving contact discovery service without exposing plaintext contact lists to the server | 1.0.0 |
| Registration Lock Pin | Account registration lock using a user-set PIN backed by a secure value recovery service, protecting re-registration after SIM theft or device loss | 1.0.0 |
| Safety Number Verification | Contact identity verification via cryptographic fingerprints that detects when a contact’s identity key has changed, alerting users to potential key-change events | 1.0.0 |
| Saml 2 Identity Provider | SAML 2.0 identity provider with assertions and metadata | 1.0.0 |
| Saml Sso | SAML 2.0 identity provider integration enabling users to authenticate via a federated identity provider without maintaining local passwords. | 1.0.0 |
| Sealed Sender Delivery | Metadata-hidden message delivery that conceals the sender’s identity from the server using unidentified access keys or group send endorsement tokens | 1.0.0 |
| Session Management | Active session listing, device tracking, and session revocation | 1.0.0 |
| Session Management Revocation | Lifecycle management for authenticated user sessions including creation, activity-based expiry extension, idle timeout enforcement, and explicit revocation by users or administrators. | 1.0.0 |
| Signal Prekey Bundle | Upload and retrieval of pre-key bundles combining EC signed keys, one-time EC keys, and post-quantum KEM keys for establishing end-to-end encrypted sessions | 1.0.0 |
| Signup | Register a new user account with email and password | 1.0.0 |
| Single Sign On | Enterprise SSO via SAML 2.0 and OIDC with JIT provisioning | 1.0.0 |
| User Account Self Service | User self-service account and credential management | 1.0.0 |
| User Authentication Session Management | Authentication flows, session management, brute-force protection | 1.0.0 |