Authentication
Core sign-up / sign-in / refresh / sign-out. Argon2 / PBKDF2 password hashing, JWT issuance with roles + scope claims, brute-force lockout after 5 failed attempts.
Magic Links
Single-use, 15-minute, SHA-256 hashed tokens emailed via Resend. No enumeration leaks — every /request returns the same shape.
Multi-Factor Authentication
RFC 6238 TOTP + hardware OATH tokens. Backup codes generated and hashed on first verification. Two-step enrollment for safety.
WebAuthn / Passkeys
Real cryptographic attestation verification via @simplewebauthn/server. Challenge stored in DB, single-use, 60-second TTL.
Admin (LLM + Feature Flags)
Per-tenant LLM provider config (9 providers, AES-256-GCM encrypted API key) + 116 toggleable feature flags.
10 World-First Novel Features
Authentication primitives that no other provider offers — quantum key distribution, multi-party computation, time-locked credentials, and more.
Cloudflare Console
Wrangler-equivalent admin operations exposed via HTTP. D1 query console, Workers AI, R2 bucket browser, queue + analytics publishers.