A robust identity solution relies must be build on a solid foundation.

The architecture of is characterized by scalability and flexibility. It is a cloud native design ready to scale out and prepared for future use cases.

Federation layer

A major architectural component is the federation layer. This layer provides single sign-on and token verification capabilities.

The federation layer supports OAuth 2.0, OpenID Connect 1.0 and SAML 2.0. is not simply a wrapper around a few federation protocols but has abstracted away from individual protocols. Since the core of this layer has abstracted away from these protocols, support for future and legacy protocols can be easily introduced.

Authentication Tree

How and when to authenticate depends on your organization its policies, user preferences and context.

While historically it was sufficient to authenticate users with username and password verification, nowadays two-factor authentication is the de facto standard. In fact, more and more organizations are moving towards passwordless authentication. For example with FIDO.

Constantly changing requirements demand a flexible authentication framework. The solution allows chaining authentication modules together in order to provide an adaptive authentication experience. Enforcing security controls and providing the best user experience.

UI Server

From big idaas providers like Auth0 and Okta, differentiates by having decoupled the user interfacing from the identity server. This technical solution provides you with full control over your user experience. Far beyond competitors offer. Not by writing platform-specific scripts or deep technical knowledge about authentication protocols, but merely by using client-side technologies as html and javascripts (no DNS changes or server side scripting required).

Another benefit is that this method allows you to use your own domain names. Without the need for registering extra DNS records.

It is possible to log in with the default login screen, your own UI server or via a popup.

Serverless for user scripting

It should be preferred to use out-of-the-box functionalities from off-the-shelf software. But a toolbox should not restrict your organization in providing value to your customers. allows plugging in scripts into the authentication flow.


Each authentication module maintains its own session storage. This allows differentiating how long each authentication result should get rememebered.

Each module allows configuring wether to remember its result in a session, a cookie, or not at all.


An access token is a JWT. Yet, can still be used as regular OAuth access tokens. You can introspect and revoke these tokens.