Auth Service
Centralized OAuth2 + OIDC on Cloudflare Workers. Per-project token isolation, automatic rotation, sub-50ms at the edge.
PKCE Enforced
S256 Proof Key on every flow. No implicit grants, no tokens in the browser.
Project Isolation
Each app gets its own signing key and user list. Tokens can't cross boundaries.
Edge-Native
Workers + D1 + KV. No cold starts, globally distributed.
Token Rotation
Single-use refresh tokens. Every refresh revokes the old pair immediately.
Multiple Methods
Password, PIN, and magic link — configurable per project.
Stateless Access
JWTs verified locally with HS256. Zero network calls for authorization.
Client App
→
auth.beshoy.ai
→
D1 + KV
HS256 access tokens · 5 min TTLES256 ID tokens for OIDCArgon2id hashing