One small sign-in center for trusted apps

Signet centralizes password login, TOTP, WebAuthn, JWT sessions, redirect allowlists, and encrypted OAuth-style callbacks without turning every project into an auth project.

Try sign in Read docs

Auth surface

Configured capabilities

Second factorTOTP or WebAuthn

Session tokenJWT with expiry

Redirect safetyAllowlist + state

OAuth returnECDH encrypted payload

Tools

Set up the pieces Signet needs

Open playground

TOTP QR code

Generate a Base32 secret and QR code for authenticator apps.

Open TOTP

WebAuthn credential

Register a passkey or hardware security key and export the credential JSON.

Open WebAuthn

ECDH key pair

Create the server key pair used for encrypted OAuth token return.

Open ECDH

OAuth playground

Test the encrypted callback flow

Launch a local OAuth-style flow, generate client keys in the browser, and inspect the callback verification result.

Open playground

Runtime guardrails

Redirect allowlist blocks open redirects.
JWT sessions can be verified by downstream apps.
ECDH protects token return payloads.

How it works

One gateway, many apps

Keep sign-in logic centralized while each app owns its final session.

1

Redirect

App sends the user to Signet with a callback URL.

2

Verify

Signet checks password plus TOTP or WebAuthn.

3

Return

A JWT is returned directly or through encrypted OAuth payloads.

4

Trust

Your app verifies the token and creates its own session.

Environment variables

Required secrets, redirect allowlists, session settings, and ECDH options.

Project integration

Verify callback tokens and wire Signet into downstream apps.

Auth methods

Understand how password, second factor, JWT, and redirects fit together.