OWASP Top 10 · addressed3 lines to integrateRS256 JWT · liveSelf-hosted · no lock-in

Enterprise-grade auth.
Developer-speed
integration.

OWASP Top 10 addressed out of the box. Drop-in SDK for Next.js, React, and Python. Protect your entire app in under 5 minutes — bcrypt-12, RS256 JWTs, rate-limited auth endpoints, and TOTP MFA included.

Self-hosted on Vercel No per-MAU pricing Drop-in SDK Open source

OWASP

Top 10 covered

< 5 min

to first protected route

bcrypt-12

password hashing

0

per-MAU fees

Built on battle-tested infrastructure

Next.js 14SupabaseVercelbcrypt · 12 roundsRS256 JWTHMAC-SHA256otplib · TOTPReactFlowResendPython SDKNode.js SDK
Components

Pixel-perfect UIs,
embedded in minutes.

Pre-built, fully customizable components for every auth use case. Drop them in and own the experience.

<SignIn />Authentication

Sign in to Acme

or
<UserButton />Account Management
A
alice@acme.com
Manage account
Switch org
Sign out
<UserProfile />User Profile
Profile
Security
Sessions
User Authentication

Every auth method.
One unified SDK.

From email OTP to enterprise social OAuth — ship the auth methods your users expect without stitching together five different libraries.

Explore user auth

Email + Password

bcrypt rounds=12. Verified before sign-in.

Magic Link

Passwordless sign-in. Single-use, 15-min expiry.

Social OAuth

Google, GitHub, X, LinkedIn, Meta, Shopify.

TOTP / MFA

Authenticator app + 8 backup codes. AES-256 secret.

User Metadata

Public metadata on /me. Private metadata server-only.

Session Management

RS256 JWT + DB row validation on every request.

Audit Logs

Every auth event: IP, country, method, outcome.

Passkeys

WebAuthn / FIDO2. Coming soon.

OWASP Top 10 — 2021

Security isn't a feature.
It's the foundation.

Every OWASP Top 10 category is addressed in the platform — not as an afterthought, but baked into the core primitives your app relies on.

A01Broken Access Control

Per-route authMiddleware + JWT claims + DB session row validation on every /me request.

A02Cryptographic Failures

RS256 JWTs, bcrypt-12 passwords, AES-256-GCM for OAuth secrets, HMAC-SHA256 webhook signatures.

A03Injection

Supabase parameterized queries throughout. Input validated at every API boundary before DB access.

A04Insecure Design

Single-use handshake tokens (JTI burned), HMAC-signed OAuth state, timing-safe token comparison.

A05Security Misconfiguration

SameSite=Lax cookies, httpOnly session cookie, per-app CORS allowlist, no wildcard credentials.

A06Vulnerable Components

Minimal dependency surface. jose for JWT, bcryptjs, Node crypto only. No legacy auth libraries.

A07Auth & Identity Failures

Rate-limited sign-in (5/15 min per IP), OTP brute-force limit (5/15 min), timing-safe dummy bcrypt.

A08Data Integrity Failures

HMAC-SHA256 signed webhooks, HMAC-signed OAuth state — all payloads verified before trust.

A09Security Logging Failures

Every auth event logged: IP, country, provider, outcome, latency, risk level, application ID.

A10Server-Side Request Forgery

No user-controlled URLs in server fetches. Shopify provider validates shop domain format (SSRF guard).

bcrypt-12

Password hashing

RS256 JWT

Asymmetric signing

AES-256-GCM

OAuth secret encryption

HMAC-SHA256

Webhook + state signing

3-step integration

From zero to
fully protected app
in under 5 minutes.

Install once. Add one provider. One middleware line. Every route in your Next.js app is protected — with session management, org context, MFA, and OWASP-grade security included.

Step 01Install the SDK
1npm install @vaultix.ai/nextjs @vaultix.ai/react

Includes TypeScript types, React hooks, and server helpers.

Platform OAuth Connect

Auth once. Act everywhere.

Beyond social login — let your users grant your app permission to publish, read, and manage their accounts on X, Meta, Shopify, LinkedIn, and GitHub. One SDK call initiates the flow. Vaultix handles OAuth, scope negotiation, and returns a signed connect token your backend can trust.

  • X/Twitter, Meta, LinkedIn, Google, Shopify, GitHub
  • PKCE where required, Basic/Body auth per provider
  • Scope versioning — detect when a user's token is stale
  • Signed RS256 connect token returned to your backend
  • SSRF protection for tenant-specific providers (Shopify)
A feature no other auth platform offers

SDK · connectPlatform()

import { useVaultix } from "@vaultix.ai/react";

const { connectPlatform } = useVaultix();

// Connect X for posting
connectPlatform("x", {
  scopes: ["tweet.read","tweet.write","users.read"],
});

// Connect Shopify for a specific store
connectPlatform("shopify", {
  extraParams: { shop: "mystore.myshopify.com" },
  scopes: ["read_orders","write_products"],
});

X / Twitter

tweet.write

Meta

pages_manage

Shopify

write_products

Organization · Acme Corp

MemberRoleJoined
A
Alice Smith
ownerJan 2024
B
Bob Jones
adminMar 2024
C
Carol Wu
memberMay 2024
D
Dan Lee
viewerJun 2024
B2B Authentication

Multi-tenancy built in.
Not bolted on.

First-class Organizations with RBAC, invite flows, and org-scoped JWT claims. Your SaaS product can serve teams on day one.

  • Custom roles and permission sets per organization
  • Email invitation delivery — branded via Resend
  • Hosted /invite/accept page — zero setup for invitees
  • Org role embedded in every session JWT
  • Organization-level analytics and audit logs
  • Verified domains with auto-join (coming soon)
Webhooks · Live

Every auth event.
Delivered reliably.

Subscribe to auth events and receive real-time HTTP POST notifications. Every payload is signed with HMAC-SHA256 so your backend can verify authenticity without trusting the network.

  • auth.succeeded, user.created, session.revoked + more
  • HMAC-SHA256 signed with X-Vaultix-Signature header
  • Delivery history with status, HTTP response code, timestamps
  • Test endpoint button fires a live delivery instantly
  • Retry tracking with next_retry_at on failed deliveries

Verification · Node.js

import { createHmac, timingSafeEqual } from "crypto";

export function verifyWebhook(
  rawBody: string,
  sig: string,
  ts: string,
  secret: string,
): boolean {
  const expected = "v1=" + createHmac("sha256", secret)
    .update(`${ts}.${rawBody}`)
    .digest("hex");

  return timingSafeEqual(
    Buffer.from(sig),
    Buffer.from(expected),
  );
}
Visual Workflow Engine

Auth flows without code changes.

Drag-and-drop your auth journey. Simulate with synthetic users. See the path before you deploy.

Default Auth PolicyDraft
Auth Request
Risk Check
low
Grant Access
medium
OTP Challenge
Grant Access
critical
Block Access

Drag-and-drop builder

Build any auth journey visually. No code required.

Live simulation

Test with synthetic users before deploying.

Instant deploy

Push policy changes without redeploying your app.

Developer Experience

Ship in minutes,
not months.

Three files. One provider. Your entire Next.js app is protected with session management, org context, and typed user data.

  • TypeScript-first — fully typed React + Next.js SDK
  • Node.js SDK — Express, Fastify, Hono (@vaultix.ai/node)
  • Python SDK — FastAPI, Flask, plain Python (PyPI-ready)
  • React hooks: useAuth(), useOrganization()
  • updateUser() — profile, password, publicMetadata
  • Server-side helpers: auth(), currentUser(), protect()
  • Org invites send branded emails + hosted accept page
1import { authMiddleware } from "@vaultix.ai/nextjs";
2
3export default authMiddleware({
4 publicRoutes: ["/", "/pricing"],
5 signInUrl: "/sign-in",
6});
7
8export const config = {
9 matcher: ["/((?!_next|static|favicon).*)"],
10};

Works with everything

Your stack, our auth.

Official SDKs for Next.js, React, and Python. REST API for every other framework.

Next.js

@vaultix.ai/nextjs

React

@vaultix.ai/react

Express

@vaultix.ai/node

🚀

Fastify

@vaultix.ai/node

🔥

Hono

@vaultix.ai/node

🐍

FastAPI

vaultix (PyPI)

🌶️

Flask

vaultix (PyPI)

📱

React Native

💿

Remix

Astro

🔄

SvelteKit

💚

Nuxt

🐹

Go

🪄

Laravel

Pricing

Start free. Scale as you grow.

No per-MAU surprise bills. Pay for the plan, not the users.

Hobby

Free

For side projects and prototypes.

  • Unlimited applications
  • Email + password auth
  • Magic link (passwordless)
  • Social OAuth (6 providers)
  • Platform OAuth connect
  • TOTP authenticator MFA
  • Session management
  • Real-time analytics
  • Webhook delivery
  • Community support
Start building
Most popular

Pro

$25/mo

For production apps that need scale.

  • Everything in Hobby
  • Higher rate limits
  • Custom session lifetime
  • Remove Vaultix branding
  • Priority support
  • Org management API
  • Visual Workflow Engine
  • Audit log export
Start free trial

Business

$199/mo

For teams building B2B products.

  • Everything in Pro
  • Verified domain auto-join
  • Per-app OAuth credentials
  • Enterprise SSO (coming soon)
  • 10 dashboard seats
  • SOC 2 compliance
  • SLA: 99.9%
Start free trial

Enterprise

Custom

Compliance, SLA, and dedicated support.

  • Everything in Business
  • Self-hosted deployment
  • HIPAA & GDPR BAA
  • Dedicated Slack channel
  • SLA: 99.99%
  • Custom contract
  • Security review
Contact us

Pricing is indicative and subject to change before GA. Features marked "coming soon" are on the roadmap.

Get started today

OWASP-grade security.
5-minute integration.

Self-hosted on Vercel + Supabase. All 10 OWASP categories addressed. Drop-in SDKs for Next.js, React, and Python. No per-MAU fees. No vendor lock-in.

OWASP Top 10 covered bcrypt-12 + RS256 Self-hosted No per-MAU fees