Authdog is built so the secure path is the default path. This page summarizes how sessions, tokens, keys, and provisioning are handled, and the compliance-ready defaults you inherit for free.
Per-environment key isolation and rotation
Every environment has its own signing keys, connections, and user store. A leaked credential or misconfiguration in one environment can never reach another. Signing keys are rotated on a managed schedule, and the environment's public key (pk_...) lets clients verify sessions without ever handling a private key.
Short-lived signed sessions
Sign-in issues a signed-JWT session delivered as the authdog-session cookie (HttpOnly, SameSite=Lax, Secure in production) or as an Authorization: Bearer token. Sessions are short-lived and signed, so a stolen token has a small window and can't be forged. See Sessions & tokens for the token model.
Edge session validation
Sessions are validated at the edge, close to the user, before requests reach your origin. Validation is stateless against the environment's public key, so it stays fast and doesn't depend on a central session store.
MFA and breach-aware passwords
Enable TOTP MFA to require a second factor after primary sign-in. The password policy is breach-aware — credentials known from public breaches are rejected — so weak and compromised passwords never make it into your user store.
Enterprise SSO
Delegate authentication to a customer's identity provider over SAML 2.0 or OIDC, with first-class support for Okta, Entra ID, JumpCloud, Ping, and BeyondTrust. Customers keep their own MFA, session, and lifecycle policies.
Provisioning and deprovisioning
Automated lifecycle keeps access in sync with the source of truth. SCIM 2.0 and HRIS feeds create, update, and — critically — deactivate users when they leave, so offboarding in the IdP revokes app access with no manual step. See Provisioning.
Audit events
Identity events — sign-ins, role changes, provisioning updates — are recorded and available through the Events API for auditing, alerting, and downstream sync.
Webhook signature verification
Outbound webhooks are HMAC-signed with an X-Authdog-Signature: t=...,v1=... header and delivered with durable retry. Always verify the signature and check the timestamp before acting on a payload, so you only trust events that genuinely came from Authdog.