Passport is the identity layer for modern apps — login, MFA, sessions, SSO, and org management behind one API. Issue your first token in five minutes and hand the breach liability to a team that does nothing else.
The identity layer behind teams that can't afford a leaked password
Stop wiring together a password hasher, an email provider, a TOTP library, and a half-finished SSO flow. Passport ships the entire identity surface so your roadmap goes back to being about your product.
Email-and-password, magic links, passkeys, and 30+ social and enterprise providers behind one consistent flow. Argon2id hashing, every signup screened against billions of leaked credentials, and a hosted login page you can theme to pixel parity — or rebuild headless against the API.
TOTP, SMS, email codes, and WebAuthn passkeys with adaptive step-up — challenge the risky login, wave through the one from a known device on a known network.
Rotating refresh tokens, httpOnly cookies, per-device tracking, and instant revocation. Kill a stolen session across every device in a single call.
SAML and OIDC for any customer's IdP — Okta, Entra, Google Workspace — configured in an afternoon instead of a six-week integration project.
Multi-tenant orgs, roles, invites, and a fine-grained permission model, so your B2B customers run their own teams without filing a ticket against your engineers.
Numbers that hold up under load
Typed end to end, idempotent by default, and documented like a product. The integration that used to eat a sprint now fits between standup and lunch.
Drop in an SDK, paste two keys, and your first user signs up. The hosted flow renders the screens; the API handles tokens, hashing, and rotation.
First-class libraries for TypeScript, Python, Go, Ruby, and Rust — fully typed, with framework adapters for Next.js, Express, and FastAPI.
Plain OAuth 2.1 and OpenID Connect under the hood. Verify JWTs against our JWKS yourself, or export every user and credential the day you decide to leave.
Guaranteed-delivery events for every signup, login, and revocation — signed payloads, exponential-backoff retries, and a replay console for the ones you missed.
Most auth breaches aren't exotic — they're the same handful of failures shipped by a team that builds login once and never revisits it. Passport closes them by default, patched the moment the technique changes, not the next time you remember to look.
Every signup and reset is checked against 11B+ leaked passwords, and brute-force attempts hit per-IP and per-account rate limits before they reach your database.
A login from a new device, country, or impossible-travel path triggers step-up automatically. The attacker has the password; they still can't get in.
Refresh tokens rotate on every use and a replayed token invalidates the chain, so a stolen cookie is dead the moment the real user comes back.
Passkeys are cryptographically bound to your origin — a credential phished on a look-alike domain is mathematically useless to the attacker.
Fine-grained roles and short-lived, audience-scoped tokens mean a compromised low-privilege session can't quietly become an admin one.
Every auth event — login, grant, revocation, role change — lands in a tamper-evident log you can hand straight to an assessor or a forensics team.
“We deleted 14,000 lines of auth code and shipped enterprise SSO in a single afternoon. The first customer who asked for SAML had it the same day instead of next quarter.”
“Our security review used to stall every enterprise deal. Now we hand over Passport's SOC 2 report and the audit checklist closes itself. It unblocked two seven-figure contracts in a quarter.”
“A reused password got flagged and adaptive MFA stopped the takeover before it touched a single account. That one catch paid for the whole platform on day one.”
No charge for the users who never come back. You pay for monthly active users, and enterprise SSO is never paywalled behind a sales call that hides the number.
For prototypes and early products finding their footing.
For products with real users and real customers.
For regulated, high-volume, multi-region platforms.
Most teams have signup, login, and MFA working in well under an hour using a typed SDK and the hosted login page. Enterprise SSO for a specific customer is typically live the same day — you configure their IdP, you don't rebuild your stack.
Both directions, with zero downtime. Our importer ingests users and password hashes from Auth0, Cognito, Firebase, or your own database without forcing a reset, and you can export every user and credential at any time. No walled garden.
Passport is SOC 2 Type II and ISO 27001 certified, supports HIPAA BAAs and immutable audit logs, and offers data residency by region. We hand auditors a report instead of a maybe.
Your choice. Use the hosted Universal Login for the fastest, safest path, or build entirely against the API and SDKs for pixel-perfect control. You can start hosted and go headless later without re-platforming.
We run a 99.99% uptime SLA across multiple regions with automatic failover, and tokens validate at the edge against cached JWKS, so verification keeps working through transient blips. Status and incident history are public.
Yes — WebAuthn passkeys are first-class, alongside magic links and email or SMS codes. Go fully passwordless or offer it as one option, with the same session and MFA primitives underneath either way.
Create a project, grab two keys, and authenticate your first user before this tab goes stale. No sales call required to start building.