AI-Native Management (MCP)
Manage users, roles, attributes, claim mappers, sessions, and audit logs from Claude, Cursor, or any MCP-compatible AI assistant. 25 tools across 8 domains — no SDK, no HTTP, just natural language. npx @kotauth/mcp to connect.
OAuth2 / OIDC Compliant
Authorization Code + PKCE, Client Credentials, token rotation, introspection, revocation, silent SSO (prompt=none), end-session logout, and OIDC Discovery. Any spec-compliant client library works without modification.
Magic-Link Passwordless
Email-based passwordless login with 15-minute one-time tokens and same-device cookie binding. MFA invariant preserved. Workspaces can go fully passwordless by disabling password login entirely.
Multi-Tenant with Key Rotation
Isolated user directories, per-tenant RS256 key pairs with admin-initiated rotation and JWT kid headers, independent security policies, and white-label auth pages. One instance, many products.
Backup & Restore
Export entire workspaces as encrypted archives (PBKDF2 600k + AES-256-GCM) via CLI or admin API. Import with schema-version compatibility validation. Portable bkp1 envelope format.
Admin Impersonation
Act as any user for debugging and support. RFC 8693 act claim for audit attribution, dual-session model, and cascade revocation. Full audit trail of all impersonation events.
Security by Default
bcrypt hashing, AES-256-GCM at rest, HIBP breach detection, signing key rotation, account lockout, Redis-backed rate limiting, strict CSP with SRI, PKCE enforcement, and password policies with history and expiry.
Docker Native & Developer-First
~120 MB image, Flyway auto-migrations, built-in CLI tools. 40+ REST API endpoints with OpenAPI 3.1 and bundled Swagger UI. RBAC with composite inheritance, i18n, and HMAC-signed webhooks for 8 event types.
