Passwords done right
bcrypt hashing with constant-time verification and a dummy-hash path that prevents email enumeration.
Sign users in with passwords, passkeys or MFA, and authorise machine access with scoped API keys. Multi-tenant from the first request, isolated in the database.
// Authenticate machine access with a scoped API key
const res = await fetch("https://api.kreo.work/api/rest/orders", {
headers: { "x-kreo-api-key": process.env.KREO_API_KEY! },
});
// Keys are stored only as SHA-256 hashes, can expire,
// and can be locked to specific CIDR ranges.bcrypt hashing with constant-time verification and a dummy-hash path that prevents email enumeration.
Passwordless sign-in with FaceID, TouchID, Windows Hello or a hardware security key via WebAuthn.
Optional TOTP second factor with a clean enrolment flow for every account.
Issue scoped keys for server-to-server access; revoke, expire or lock them to IP ranges.
Independent per-IP and per-account limits stop credential-stuffing and brute-force attacks.
Logins, key rotations and privileged actions recorded with IP and user agent.
Start free with 50,000 requests per month — no credit card required.