Authentication

Auth and API keys, secure by default

Sign users in with passwords, passkeys or MFA, and authorise machine access with scoped API keys. Multi-tenant from the first request, isolated in the database.

  • Email + password with bcrypt hashing
  • Passkeys (WebAuthn) and TOTP MFA
  • API keys, hashed and IP-allowlisted
  • Per-IP & per-account brute-force protection
auth.ts
// Authenticate machine access with a scoped API key
const res = await fetch("https://api.kreo.work/api/rest/orders", {
  headers: { "x-kreo-api-key": process.env.KREO_API_KEY! },
});

// Keys are stored only as SHA-256 hashes, can expire,
// and can be locked to specific CIDR ranges.
bcrypt · 12Password hashing rounds
WebAuthnPasskeys supported
AES-256-GCMSecrets encrypted at rest
Capabilities

Everything included

Passwords done right

bcrypt hashing with constant-time verification and a dummy-hash path that prevents email enumeration.

Passkeys

Passwordless sign-in with FaceID, TouchID, Windows Hello or a hardware security key via WebAuthn.

Multi-factor auth

Optional TOTP second factor with a clean enrolment flow for every account.

API keys

Issue scoped keys for server-to-server access; revoke, expire or lock them to IP ranges.

Rate limiting

Independent per-IP and per-account limits stop credential-stuffing and brute-force attacks.

Audit logging

Logins, key rotations and privileged actions recorded with IP and user agent.

Secure your app from day one

Start free with 50,000 requests per month — no credit card required.