Skip to main content
Stacklane

Authentication, the surface every customer audits, built to pass it.

Authentication is two surfaces wearing the same name. There's the consumer flow (sign up, sign in, MFA, password reset) and the enterprise flow (SSO, SCIM, session policies, audit trails). We build both against the same identity model so neither one is bolted on. The result reads as deliberate to a security reviewer, not assembled from a quickstart.

What we build

  • Sessions over JWTs, where each fits

    Server-side sessions for the application, with a clean rotate-on-elevation flow. JWTs where they earn it (service-to-service, mobile API tokens). We don't reach for JWTs because they're trending; we use them where the trade-off actually pays.

  • MFA that doesn't push users to disable it

    TOTP as the default, WebAuthn for the customers who need phishing-resistant auth, SMS only where the demographic requires it. Backup codes generated once and stored as hashes. The recovery flow doesn't accidentally bypass MFA.

  • Session policies enforced server-side

    Per-tenant session lifetimes, idle timeouts, IP/geo restrictions, and concurrent-session limits. Customers configure them in their admin; the server enforces them on every authenticated request. The audit log proves it.

  • Password hygiene that's actually current

    Argon2id with current parameters, breach-corpus check on signup and reset (HaveIBeenPwned k-anonymity), and rate limits on every credential surface. We don't ship NIST-2017 rules in 2026.

  • Audit log on every auth event

    Sign-ins (successful + failed), MFA challenges, password resets, session terminations, admin impersonations, all written with actor, IP, user-agent, and outcome. Customers can export their slice; we can answer 'who logged in when' without grep.

  • Account recovery that survives social engineering

    Recovery flows that don't rely on email-alone proofs. Multi-channel verification for sensitive accounts. Admin-mediated recovery for enterprise tiers. The flow you'd actually be comfortable with running on a publicly-traded customer's account.

Where this fits

  1. Your auth was bolted on with Auth0 in 2022 and the customers asking for advanced session policies and SCIM make it clear it's time for a real identity layer.

  2. You're past the prototype and a security questionnaire is the next thing to land on the sales team's desk.

  3. Your MFA is SMS-only and the next enterprise customer requires phishing-resistant WebAuthn.

Tech stack

  • TypeScript
  • WorkOS
  • Lucia
  • Argon2
  • JWT (where it earns it)

Want this for your team?

30 minutes with a founder or senior engineer. We'll scope what you need and tell you straight whether Stacklane fits.

Book a Free Call

Related capabilities

Other patterns in this area

Back to Engineering

Backend APIs

Native iOS Apps

Stripe Integrations