OAuth 2.0 + OpenID Connect
Full authorization code flow with PKCE, OIDC Discovery, RS256-signed ID tokens, token introspection and revocation, and a compliant UserInfo endpoint.
Self-hosted OAuth 2.0 / OpenID Connect platform on Cloudflare Workers. Zero servers, global edge.
Full authorization code flow with PKCE, OIDC Discovery, RS256-signed ID tokens, token introspection and revocation, and a compliant UserInfo endpoint.
GitHub, Google, Microsoft, Discord, Telegram, X, plus Generic OIDC and Generic OAuth 2 sources for any compliant provider. Multiple sources of the same type, signed-in via GPG clearsign, and per-source linking.
Multiple TOTP authenticators per account, passkeys (WebAuthn / FIDO2), GPG keys, and server-initiated step-up 2FA with sudo grace windows for sensitive actions.
Shared ownership of OAuth apps and verified domains. Roles, invites, transfer of ownership, and site-floor join requirements (2FA / verified email).
Cloudflare Turnstile, hCaptcha, reCAPTCHA v3, or a self-contained Rust→WASM proof-of-work — no third-party service required. Captcha can also gate 2FA confirmations.
Users register and manage their own OAuth apps. Apps can publish named permission scopes that other apps request via the standard consent screen.
User and admin webhooks, app event streams (Webhook / SSE / WebSocket), plus per-event email and Telegram notifications with a rule-engine for fine-grained routing.
Opt-in `/u/
AES-GCM envelope encryption for reversible secrets (OAuth client secrets, captcha keys, SMTP/IMAP) and keyed HMAC-SHA256 hashing for bearer tokens — all rooted in a Cloudflare Secrets Store binding.
Cloudflare Workers + D1 + KV + R2. Server-side rendered React 19 SPA so logged-in users skip the loading flash. One `wrangler deploy` ships everything globally.