Labs
Identity Management Done Right
A complete identity platform with OIDC-based single sign-on (SSO), passwordless authentication (passkeys, OTP, magic links, QR code login), OAuth 2.0 / OpenID Connect authorization server with DPoP and Device Authorization Grant, multi-channel verification, social login (Google, GitHub, Microsoft, Amazon, LinkedIn, X), per-client login configuration, back-channel logout, API key management, a 100-tool MCP server with AI agent chat, license system with feature flags, runtime configuration, and multi-tenant lifecycle management. Built on .NET 10 and Next.js 16.
auth-flow.httpPOST /auth/login
Authenticating user credentials...
2FA required — challenge token issued
POST /auth/2fa/verify
JWT token issued
access_token: eyJhbGc...
refresh_token: •••••••
Authentication successful
Role-based access granted
.NET 10
ASP.NET Core
MFA + RBAC
Secure Auth
Complete Identity Solution
Everything you need for enterprise authentication and authorization, from passkeys and multi-channel auth to webhook integrations.
JWT Authentication
12 signing algorithms across HMAC, RSA, RSA-PSS, and ECDSA families with JWKS endpoint, key rotation, rotating refresh tokens, and IP tracking for audit trails.
External OAuth Login
Sign in with Google, GitHub, Microsoft, Amazon, LinkedIn, and X. Auto-registration, account linking, 2FA enforcement, and auto tenant-admin provisioning.
OAuth 2.0 / OIDC Server
OAuth 2.0-compliant authorization server with PKCE, DPoP, Device Authorization Grant, consent flows, custom claims, token introspection, revocation, session management, and OpenID Connect Discovery.
Two-Factor Auth
TOTP authenticator apps, SMS codes, WhatsApp codes, email codes, and recovery codes. QR code generation for easy setup.
Multi-Tenant
Four-state tenant lifecycle (Pending, Active, Suspended, Disabled) with data isolation, account approval, and admin-gated access.
Webhook Events
65 event types with HMAC-SHA256 signing, exponential backoff retries, and delivery tracking.
Single Sign-On (SSO)
OIDC-based SSO with session tracking (sid, auth_time), max_age re-authentication, and back-channel logout across all client applications.
Passkey / WebAuthn
FIDO2 passwordless authentication with device biometrics. Register, manage, and authenticate with passkeys.
Multi-Channel Auth
SMS via Azure Communication Services and WhatsApp via Twilio with cascading fallback and consent compliance.
Phone Verification
SMS-based phone verification with OTP codes, messaging consent tracking, and TCPA/GDPR compliance.
Passwordless OTP
One-time password login via Email or SMS. No password required — enter a code and sign in.
Per-Client Config
Each OAuth client configures allowed login methods, toggles registration and password reset, and customizes login page branding.
Notifications
Per-user login alerts and password change notifications via SMS and Email with granular preferences and audit logging.
API Key Management
Create, list, and revoke API keys for partner integrations. Hash-based storage with rdnk_ prefix and X-API-Key header auth.
MCP Server & AI Agent
100-tool MCP server with AI agent chat for natural language platform administration. Per-conversation model selection.
Full-Stack Architecture
.NET 10 API
ASP.NET Core with CQRS
- Entity Framework Core 10 with SQL Server
- MediatR for command/query separation
- FluentValidation for input validation
- Serilog structured logging
- OAuth 2.0 / OpenID Connect authorization server
- External OAuth providers (Google, GitHub, Microsoft, Amazon, LinkedIn, X)
- Passkey/WebAuthn (FIDO2) via Fido2.AspNet
- Multi-channel auth (SMS via ACS, WhatsApp via Twilio)
- Swagger/OpenAPI documentation
Next.js 16 Frontend
React 19 with TypeScript
- App Router with protected routes
- HTTP-only cookie authentication with silent refresh
- Multi-step registration with email verification
- 2FA setup wizard and verification forms
- Social login buttons (configurable per-provider)
- Passkey management and WebAuthn authentication
- Multi-channel auth verification (SMS, WhatsApp)
- Phone verification with SMS consent compliance
- Passwordless OTP login (Email and SMS)
- SMS password reset and account recovery
- Notification preferences with per-user granular controls
- OAuth consent and authorization screens
- Admin dashboard with OAuth clients, scopes, claims, and system settings
- API key management for partner integrations
- AI agent chat with 100-tool MCP server and model selection
Enterprise Security Built-In
Production-ready security features out of the box. No configuration required for secure defaults.
Security Headers Applied:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Rate Limiting:
Auth endpoints: Configurable fixed-window limiter
Two-Factor Authentication
TOTP authenticator apps (Google/Microsoft Authenticator), SMS codes, WhatsApp codes, email codes, and one-time recovery codes. OAuth-only users skip password confirmation.
Passwordless & Recovery
Magic links, OTP login (Email/SMS), password reset via email or SMS, and phone-based account recovery for users who have lost email access.
Soft Delete & Audit Trail
All entities support soft delete with automatic query filtering. CreatedDate, UpdatedDate, and user tracking on all records.
Comprehensive REST API
38 controllers spanning authentication, passwordless OTP, passkeys, multi-channel auth, OAuth 2.0/OIDC, DPoP, password expiration, notifications, and full CRUD for all identity resources. Versioned API with Swagger documentation.
# Authentication
POST /api/v1.0/auth/login
POST /api/v1.0/auth/register/initiate
POST /api/v1.0/auth/register/verify
POST /api/v1.0/auth/register/complete
POST /api/v1.0/auth/refresh-token
POST /api/v1.0/auth/logout
# Two-Factor Auth
POST /api/v1.0/auth/2fa/setup
POST /api/v1.0/auth/2fa/enable
POST /api/v1.0/auth/2fa/verify
POST /api/v1.0/auth/2fa/qr-code
POST /api/v1.0/auth/2fa/send-email-code
# Passwordless & Recovery
POST /api/v1.0/auth/magic-link/request
POST /api/v1.0/auth/magic-link/qr-login
POST /api/v1.0/auth/otp/request
POST /api/v1.0/auth/otp/verify
POST /api/v1.0/auth/forgot-password
POST /api/v1.0/auth/forgot-password/sms
POST /api/v1.0/auth/account-recovery/*
# External OAuth Login
GET /api/v1.0/auth/external/providers
POST /api/v1.0/auth/external/initiate
POST /api/v1.0/auth/external/callback
# Passkeys & Multi-Channel
POST /api/v1.0/auth/passkey/register
POST /api/v1.0/auth/passkey/authenticate
POST /api/v1.0/auth/multi-channel/initiate
POST /api/v1.0/auth/multi-channel/verify
CRUD /api/v1.0/auth/channels
# OAuth 2.0 / OIDC Server
GET /oauth/authorize
POST /oauth/authorize/consent
POST /oauth/token
GET /oauth/userinfo
POST /oauth/revoke
POST /oauth/introspect
# Resource Management
CRUD /api/v1.0/users
CRUD /api/v1.0/tenants
CRUD /api/v1.0/roles
CRUD /api/v1.0/oauth-clients
CRUD /api/v1.0/oauth-scopes
CRUD /api/v1.0/oauth-claims
CRUD /api/v1.0/webhooks/subscriptions
Comprehensive Test Suite
1,732 tests across 195 test files spanning unit, integration, and domain layers. In-memory database testing for fast, isolated test runs.
1,444 API Tests
Handler, validator, and integration tests with Moq
Integration Tests
Full auth flows with in-memory test server
196 Domain Tests
Entity behavior, extensions, and persistence
xUnit + FluentAssertions
Modern test framework with readable assertions
Dive Deeper
Explore every aspect of the platform — from authentication features and AI-powered administration to the full-stack architecture.