Getting Started

Security Features

Multiple layers of defense protecting your authentication infrastructure.

Defense Layers

HMAC-SHA256 Signatures

Every API request is signed with HMAC-SHA256 using your client secret. The server verifies the signature before processing, preventing request tampering and replay attacks.

Two-Factor Authentication

TOTP-based 2FA with QR code setup. Backup recovery codes provided during enrollment. Compatible with Google Authenticator and Authy.

Rate Limiting

Granular per-endpoint throttling: 10 req/min for auth, 100 req/min for validation, 50 req/min for user management. Returns 429 with retry header.

Account Lockout

After 5 consecutive failed login attempts, the account is locked for 30 minutes. Admins can manually unlock accounts from the dashboard.

reCAPTCHA v3

Google reCAPTCHA v3 integration on login forms prevents automated credential-stuffing attacks without user friction.

IP Whitelisting

Client application IPs must be pre-registered. Requests from unregistered IPs are rejected before reaching the authentication layer.

JWT Token Structure

Tokens are signed with HMAC-SHA256 and contain the following claims:

{
  "sub": 42,
  "email": "[email protected]",
  "role": "user",
  "client_id": "customer-portal",
  "iat": 1710072000,
  "exp": 1710075600,
  "security": {
    "2fa_verified": true,
    "ip": "192.168.1.10"
  }
}

HMAC Signature Generation

Calculate the signature using your client secret and the request body:

PHP example

$body      = json_encode($requestData);
$timestamp = time();
$payload   = $timestamp . '.' . $body;
$signature = hash_hmac('sha256', $payload, $clientSecret);

// Send with headers:
// X-Signature: sha256=$signature
// X-Timestamp: $timestamp

Audit Logging

Every authentication event is logged with full context:

Field	Description
user_id	Authenticated user identifier
ip_address	Client IP address
user_agent	Browser / device identifier
action	login, logout, failed_login, lockout
client_system	Originating application
timestamp	ISO 8601 event timestamp
geo_location	Approximate location from IP

Security Best Practices

Enforce HTTPS — never transmit tokens over plain HTTP in production.

Rotate secrets — change client secrets every 90 days minimum.

Enable 2FA — require two-factor authentication for all admin accounts.

Monitor audit logs — set up alerts for unusual login patterns or lockout events.

Validate signatures — always verify the HMAC signature on webhook payloads.