-
-
Notifications
You must be signed in to change notification settings - Fork 0
Authentication Flow
This page explains how authentication works inside SecureAuth.
SecureAuth uses a secure OTP-based authentication system combined with JWT session management and encrypted session storage.
SecureAuth authentication process is designed to provide:
- Secure login verification
- Session protection
- Device tracking
- OTP expiration handling
- Multi-device session support
The user provides a valid phone number.
Example request:
POST /api/auth/send-otpExample payload:
{
"phone": "+1234567890"
}SecureAuth generates a secure one-time password.
Features:
- Randomized OTP generation
- Expiration timer
- Rate limiting protection
The OTP is sent securely through WhatsApp using TextSnap integration.
Delivery system:
- WhatsApp message delivery
- Secure transmission
- Delivery validation
User submits received OTP.
Request:
POST /api/auth/verify-otpExample payload:
{
"phone": "+1234567890",
"otp": "123456"
}After successful verification:
- JWT token generated
- Secure session created
- Device information stored
- Session linked to user
Session token is stored using secure HTTP-only cookies.
Benefits:
- Prevents JavaScript access
- Reduces XSS risks
- Improves session security
Authenticated users gain access to protected routes and features.
Protected features include:
- Authenticator management
- Session management
- Backup system
- Security settings
SecureAuth implements multiple security protections.
OTP codes automatically expire after a limited time.
Benefits:
- Prevents replay attacks
- Reduces OTP abuse
Authentication endpoints are rate limited.
Protection against:
- Brute force attacks
- OTP spam requests
Every protected request validates JWT tokens.
Sessions are verified continuously.
Includes:
- Device validation
- Session expiration checks
SecureAuth supports multiple active sessions.
Features:
- Device tracking
- Active session monitoring
- Remote session revocation
Users can revoke sessions remotely.
Example endpoint:
DELETE /api/auth/sessions/:sessionIdPOST /api/auth/send-otpPOST /api/auth/verify-otpGET /api/auth/mePOST /api/auth/logoutAuthentication may fail for several reasons.
Example response:
{
"error": "Invalid OTP"
}Example response:
{
"error": "OTP expired"
}Example response:
{
"error": "Too many requests"
}For maximum security:
- Use HTTPS only
- Enable strong rate limits
- Rotate secrets regularly
- Monitor authentication logs
- Revoke suspicious sessions
User
↓
Phone Number Input
↓
OTP Generation
↓
WhatsApp OTP Delivery
↓
OTP Verification
↓
JWT Session Creation
↓
Secure Cookie Storage
↓
Protected Dashboard AccessContinue with:
Secure • Fast • Modern ⚡
SecureAuth
Secure • Fast • Modern ⚡