— 01
Composable steps
Each method is a typed step: email, password, passkey, OTP, SSO redirect, social, device flow. Snap them together.
Login is a graph,
not a checkbox.
Compose login, signup, MFA, recovery, and step-up from typed building blocks. Branded, hosted, and reroutable without a deploy.
STORYBOARD ·
loginsignuprecoverystep-up
graph · 4 steps · 2 branches1IDENTIFY
Email or passkey
Email
val@acme.com
⌬Sign in with passkey
GGoogle · Workspace
Continue →
2VERIFY
Magic code · 6 digit
Sent to val@acme.com
4921·
resend in 0:43
3CHALLENGE
MFA · TOTP
Authenticator app
⏱1Password · 30s
28471·
Verify →
4SESSION
Issued · 7d
✓
→app.acme.com
BRANCH ON →passkey · skip 2,3enterprise · IdP redirectunknown device · step-upp99 latency 240ms
The model
A flow is a graph of steps, not a checkbox.
Most auth tools give you a switchboard: passkeys on/off, MFA required/not. Authaz lets you describe the actual journey — what you ask for, when, in what order, with what fallbacks.
— 02
Conditional branches
Branch on org, role, risk score, IP, geo, time-of-day. Different paths for different users — same definition.
— 03
Versioned, reroutable
Flows are deployed independently from your app. Roll out a new login experience without shipping code.
Recipes
Six flows, ready to fork.
Start from a real-world flow that matches your model. Tune the steps, ship in an afternoon.
B2B
Magic link → org match → SSO
Email-first sign in. We detect the user's org by domain, route SSO buyers to their IdP, and email-link everyone else.
email→org→sso?→session
CONSUMER
Passkey-first signup
New users create a passkey before they create a password. Falls back to OTP for unsupported devices.
email→passkey→session
B2B+MFA
Password + step-up TOTP
Standard password login, then step up to TOTP for sensitive actions like billing or member changes. No always-on friction.
password→session→step-up?→totp
RECOVERY
Lost device → trusted contact
When a user can't access their MFA, route to a verified contact in their org instead of opening a support ticket.
email→contact→verify→reset
INVITE
Invite link → set passkey → in
Invitee clicks the link, sets a passkey, lands in the org. No "create an account" detour.
invite→passkey→session
API
CLI device flow
For terminals, IDEs, and headless tools. We mint a code; the user approves in a browser.
device-code→browser→poll→token
What you get
The whole login experience, modeled.
— 01
Every method, behind one interface.
Passkeys, magic links, passwords, OTP, social, SSO, device flow, API keys. Add or remove methods without rewriting the flow.
- WebAuthn passkeys · device-bound
- breach-checked passwords (argon2id)
- TOTP · SMS · push
Passkey
Magic link
Password
OTP · SMS / TOTP
Social
SSO
Device flow
API key
— 02
A composer, not a config screen.
Branch, loop, step-up, fall back. Visualize the whole flow. Catch dead-ends before users do.
- typed steps with autocomplete
- simulator for every branch
- A/B test two flows live
START
email
CHECK
org.has_sso?
VERIFY
passkey
REDIRECT
idp.azure
END
issue session
— 03
Branded — top to bottom.
Hosted at auth.your-domain.com. Logo, colors, type, copy — all yours. Or embed our React SDK and own every pixel.
- CNAME setup in one DNS record
- theme tokens · CSS escape hatch
- localized for 38 languages
A
Sign in to Acme
Use your work email
val@acme.com
Continue →
or
Passkey
Google
powered by authaz
API
Flows as code.
Define them in TypeScript next to your app, or in our dashboard. Either way, they're versioned, diffable, and rollbackable.
flows.config.tsdeclarative
export const login = flow({
start: "email",
steps: [
email(),
branch("org.has_sso", {
true: redirect("sso"),
false: passkey({ fallback: "magic_link" }),
}),
stepUp("sensitive_routes", "totp"),
issue("session", { ttl: "12h" }),
],
});
Spec
The fine print, up front.
Methods
passkey · magic link · password · OTP · TOTP · SMS · social · SSO · device-flow · API key
Step-up
per-route · per-action · risk-driven
Conditions
org · role · IP · geo · risk score · time · custom
Hosting
hosted at your subdomain · or embedded React SDK
Sessions
edge-issued · 250ms p99 · revokable per device
Localization
38 languages · custom strings · RTL
Rollouts
versioned · A/B tested · instant rollback
Telemetry
funnels · drop-off per step · exports to your analytics
Pairs with
One platform. Every primitive.
Every Authaz product shares the same primitives — sessions, policies, audit, tenants. Pick what you need today; add the rest when you do.
01 · MULTI-FACTOR AUTHENTICATION
Multi-factor Authentication
MFA support with TOTP and communication-based factors.
Read more →
02 · CUSTOM DOMAINS & BRANDING
Custom Domains & Branding
Keep authentication aligned with your product identity.
Read more →
03 · ENTERPRISE SSO
Enterprise SSO
SAML SSO with IdP- and SP-initiated flows.
Read more →
Get started
Stop hard-coding your login screen.
Compose the flow, brand the surface, ship without a deploy.