Securing session
New device · Chrome
Signed · 1.3s
Live approval
#OTK_7F2A
Confirm transfer
Acme Bank · paymentTransfer
ToRahul Sharma
AccountXXXX4521
ReasonRent · April
₹ 25,000
INR · Signed metadata
Approve with Face ID
Beta · Trusted Device Authenticator is live

Any Phone. Any Approval. Zero Passwords.

Passwordless login via WhatsApp, Passkey, OneID & Reverse SMS — plus turn any user's device into a trusted authenticator for signed, reason-based approvals on payments, orders and sensitive actions.

2.4M+ auths/month
1.2s avg auth time
99.9% uptime SLA
SOC 2 certified
SCROLL
Trusted Device Authenticator Signed Approval Tokens (OTK) Number Match Anti-Phishing WhatsApp-First Reverse Auth Reverse SMS OneID Universal Identity WebAuthn / FIDO2 Passkey Device Fingerprinting Real-Time SSE Revocation Zero-Knowledge Architecture End-to-End Encrypted GDPR / SOC 2 Ready Trusted Device Authenticator Signed Approval Tokens (OTK) Number Match Anti-Phishing WhatsApp-First Reverse Auth Reverse SMS OneID Universal Identity WebAuthn / FIDO2 Passkey Real-Time SSE Revocation
Flagship Feature

Your Device is
the Authenticator.

The first device a user authenticates on automatically becomes a Trusted Device. Every future login from a new device, every sensitive action, every passkey registration — approved on the device the user already has. No separate authenticator app. No security key. No SMS.

📲
Auto-enrolled on first login
After WhatsApp / Reverse SMS / OneID verification, the device is cryptographically registered as trusted — zero extra user steps.
🔐
Approves new-device logins
New device tries to sign in? The request pushes to the trusted device over SSE and can only be approved via biometric + number match.
🧾
Signs reason-based approvals
Payments, refunds, account deletion — every sensitive action shows the canonical intent on the trusted device before the backend accepts it.
🚫
One-tap revocation
Users can de-trust any device from settings. Backend receives instant SSE and every active session on that device dies in milliseconds.
New device request
Trusted · Approved
SSE push · 42ms
⚡ RAuth · Trusted Device
Enrolling Device…
1
Phone verified via WhatsApp
0.4s
2
Generating device keypair
0.6s
3
Registering with RAuth server
0.8s
Device Trusted
This phone is now your authenticator
for every future sign-in.
FromMacBook Pro · Chrome
LocationNashik, IN
IP103.22.xx.xx
TechCorp App
ChallengeTap 47
12
89
36
55
47
21
73
08
64
🔒 Biometric required · Number shown on new device must match
Flipkart Pay
merchant_id: fk_prd_88213
₹ 12,500
Payout · UPI · verified intent
Toravi@okhdfc
ReasonRefund #4821
Noncea3f…09b2
👆 Sign with biometric
Canonical metadata hashed · Tamper-proof
Active Trusted Devices
📱
iPhone 15 Pro THIS
Nashik · 2 min ago
💻
MacBook Pro · Chrome
Mumbai · 3 days ago
De-trust
🖥️
Office Desktop
Nashik · 8 hours ago
De-trust
⚡ Session killed · SSE · 18ms
Reason-Based Approvals

One-time Approval Tokens
for every sensitive action.

Stop rolling your own "confirm with OTP" for payments. RAuth issues signed, session-bound OTKs that cryptographically bind the user's intent to the exact action — amount, recipient, reason, all hashed before signing.

POST /approval/init
HMAC metadata · signed
backend.ts POST
1// Initialize approval on your backend
2const { approval_id } = await rauth.initApproval({
3  usecase: 'paymentTransfer',
4  metadata: {
5    amount: 25000,
6    recipient: 'Rahul Sharma',
7    reason: 'Rent for April'
8  }
9});
{ approval_id: "apr_9f2k..." } · 148ms
⚡ RAuth · Trusted Device
Confirm Payment
TechCorp Bank
tenant_id: techcorp_v1
₹ 25,000
Transfer · UPI · canonical intent
ToRahul Sharma
AccountXXXX4521
ReasonRent for April
Noncea3f…09b2
SSE push · 42ms · trusted device
👆
Face ID / Touch ID
Tap 47 to sign · must match new device
12
89
36
55
47
21
73
08
64
Passkey unlocked · intent signed
🛡️
rauth.verifyApproval(otk)
server · tenant: techcorp_v1
eyJhbGciOiJFZERTQSIsInR5cCI6Ik9US…
1
Metadata hash matches
0.3ms
2
Session + tenant bound
0.2ms
3
Signature valid (Ed25519)
0.6ms
4
Not replayed · within TTL
0.2ms
Transfer executed
₹25,000 → Rahul Sharma · XXXX4521
1
Backend requests approval
Your API calls RAuth with the usecase (e.g. paymentTransfer) and the canonical metadata — amount, recipient, account number.
POST /v2/approval/init
2
User sees the real intent
Trusted device shows the exact amount, recipient and reason — in plain English — with a number-match challenge. No generic "Approve?" dialog.
SSE → trusted device
3
User confirms with biometric
Face ID / Touch ID / fingerprint unlocks the signing key. User taps the correct number → device signs the approval.
Passkey assertion + number match
4
Backend verifies & executes
Your server receives a signed OTK. RAuthProvider.verifyApproval() checks the metadata hash, session binding, tenant ID and expiry — then you execute.
rauth.verifyApproval(token, phone)
🔐 HMAC metadata hash ⏱️ 60s TTL 🎯 Session-bound ♾️ One-time use 🏢 Tenant-scoped

Pre-built usecases,
schema-validated.

Each usecase ships with a canonical metadata schema so your approvals can't be tampered with — only the declared fields are signed.

💸
paymentTransfer
Money movement with amount, recipient and reason signed end-to-end.
{ amount, currency, recipient, account }
↩️
paymentRefund
Refund approvals bound to the original transaction ID.
{ original_txn_id, amount, reason }
📦
orderConfirm / orderCancel
High-value order flows that need an explicit, signed intent.
{ order_id, total, items_count }
🗑️
accountDelete
Destructive account operations need trusted-device approval — not a password.
{ account_id, scope: 'permanent' }
📤
dataExport / dataDelete
GDPR & DPDP data rights flows, signed and audit-logged by default.
{ data_categories, destination }
📱
deviceLogin
New-device login challenge — ships out of the box, zero code.
{ new_device, ip, location }

Authenticator fallback chain.

If the user doesn't have OneID installed, the app itself is the authenticator. If the trusted device is offline, we gracefully fall back — without losing security guarantees.

🪪
OneID App
Standalone authenticator · installed
📲
Trusted Device
Tenant app itself · auto-enrolled
💬
WhatsApp
Reverse confirmation · no OTP
📩
Reverse SMS
2G-friendly · no internet
Interactive Demo

Login in 3 taps.
No password.

Click each step to see how RAuth eliminates password friction while keeping enterprise-grade security.

1
User taps "Login with RAuth"
No email or password required
2
WhatsApp OTP delivered
Encrypted 6-digit code, 60s expiry
3
AI trust score verified
Real-time device + behavior analysis
— or authenticate instantly —
🔒 No password stored · Secured by RAuth
Identity Verified!
Authenticated in 1.2s. Zero passwords used.
AI Trust Score
96/100 — High Trust
📱 Device: Recognized · 🌍 Location: Normal
🤖 Bot Probability: 0.2%
⚡ 1.2s avg
🔐 256-bit E2E
Integration Flow

How RAuth works in
your app

📱
Your App
User taps "Login" — no password form
RAuth SDK
One-line SDK call initializes auth session
💬
WhatsApp / Passkey
OTP or biometric delivered to user
📲
Trusted Device
New device? Approve on trusted device with number match
Authenticated
Signed JWT returned to your app
The Problem

Why the old way
is broken

🔑
❌ Broken
Passwords Are a Liability
81% of data breaches involve weak or stolen passwords. Users reuse credentials across 14+ sites.
81%
of hacks exploit passwords
📱
❌ Outdated
SMS OTP Is Intercepted
SIM-swap attacks rose 1000% in 3 years. SS7 vulnerabilities expose every SMS in transit.
1000%
rise in SIM-swap attacks
✅ The Future
RAuth Changes Everything
E2E encrypted WhatsApp delivery, AI trust scoring, and zero-knowledge auth in under 2 seconds.
2s
from click to verified
Core Capabilities

Authentication,
reimagined.

📲
Trusted Device Authenticator
The first verified device becomes a FIDO-grade authenticator. Approve future logins, payments and passkey registration from new devices with a single tap — no OneID install required.
Flagship
🧾
Signed Approval Tokens (OTK)
Server-issued, session-bound, one-time tokens for sensitive actions. Each token carries a canonical metadata hash so your backend can detect tampering before executing a transfer or refund.
Banking-Grade
🔢
Number Match Anti-Phishing
Every remote approval shows a challenge number the user must select on their trusted device. Immune to push-bombing, social-engineering and MFA-fatigue attacks.
Phish-Resistant
💬
WhatsApp-First Reverse Auth
User confirms login from inside WhatsApp — no OTP typing. Multi-tenant: each tenant can connect their own WhatsApp Business number and send under their brand.
Most Popular
🔄
Reverse SMS Auth
User sends a pre-filled SMS from their phone — no OTP entry needed. Zero friction for feature phones and rural users.
India-First
🔑
Native Passkeys (WebAuthn)
Real WebAuthn on every surface: iOS 16+ Passkeys API with iCloud Keychain sync, Android CredentialManager with Google Password Manager, Fido2 fallback for Android 9–13, and native browser WebAuthn on web.
FIDO2
🪪
OneID Universal Identity
A standalone consumer app that lets end-users approve logins and transactions for any RAuth-powered product. One identity, numeric-challenge approvals, real-time SSE push.
App
📡
Real-Time SSE Sync
Your backend listens on a single SSE stream — session verification and revocation reach every node in milliseconds. No polling, no stale JWTs.
Sub-second
🛡️
Device Fingerprint + Trust Score
80+ device signals combined into a dynamic 0–100 trust score. Set thresholds per action — require trusted-device approval for low-trust sessions automatically.
Adaptive
📊
Tenant Dashboard + Dual KYC
Team roles, bulk session revoke, per-app login methods, subscription limits, and dual KYC (tenant + end-user) — all in a passwordless admin dashboard.

Ready to go passwordless in 15 minutes?

Join 3,000+ developers already building with RAuth. Free tier available, no credit card required.

Developer Experience

Built for
developers.
First.

Zero boilerplate. One import. Your auth is live.

Node.js / Express
rauth-node v2.4.1 · MIT License
Stable
React / Next.js
@rauth/react v1.8.0 · MIT License
Stable
🐦
Flutter / Dart
rauth_flutter v0.9.2 · MIT License
Beta
🐍
Python / Django
rauth-py v1.2.0 · MIT License
Stable
Your API Key
rauth_live_sk_••••••••••••••••
Node.js
React
REST API
auth.js 
import { RAuth } from 'rauth-node';

const rauth = new RAuth({
  apiKey: process.env.RAUTH_API_KEY,
  method: 'whatsapp', // or 'passkey' | 'oneid'
});

// Initialize auth session
app.post('/auth/init', async (req, res) => {
  const { sessionToken, expiresIn } =
    await rauth.createSession({
      phone: req.body.phone,
      ipAddress: req.ip,
      deviceId: req.headers['x-device-id'],
    });

  res.json({ sessionToken, expiresIn });
});

// Verify OTP & get JWT
app.post('/auth/verify', async (req, res) => {
  const { jwt, trustScore, user } =
    await rauth.verifySession({
      sessionToken: req.body.sessionToken,
      otp: req.body.otp,
    });

  res.json({ jwt, trustScore, user });
});
import { RAuthProvider, useRAuth } from '@rauth/react';

// Wrap your app
function App() {
  return (
    <RAuthProvider apiKey="rauth_live_sk_...">
      <YourApp />
    </RAuthProvider>
  );
}

// Use in any component
function LoginButton() {
  const { signIn, user, loading } = useRAuth();

  return (
    <button onClick={() => signIn({ method: 'whatsapp' })}>
      {loading ? 'Sending OTP...' : 'Login with WhatsApp'}
    </button>
  );
}
# Initialize session
POST https://api.rauth.io/v1/sessions

Headers:
  Authorization: Bearer rauth_live_sk_...
  Content-Type: application/json

Body:
{
  "phone": "+919644282947",
  "method": "whatsapp",
  "device_id": "d_abc123xyz"
}

# Response
{
  "session_token": "st_9xKj...",
  "expires_in": 60,
  "delivery": "whatsapp"
}

# Verify OTP
POST https://api.rauth.io/v1/sessions/verify
{
  "session_token": "st_9xKj...",
  "otp": "742916"
}

# Response: Signed JWT + trust score
Live Dashboard

Full visibility into
every session.

Real-time analytics, fraud alerts, and trust score tracking — all in one dashboard.

RAuth Console · dashboard.rauth.io
Live · All systems operational
📊 Total Sessions
0
▲ 12.4% vs last week
✅ Success Rate
0%
▲ 0.3% improvement
🛡️ Fraud Blocked
0
▲ 847 this week
⭐ Avg Trust Score
0
▲ Improving daily
Authentication Volume — Last 14 days
Security Engine

Military-grade
protection
by default.

Every login passes through 3 AI-powered layers — making it virtually impossible for bad actors to slip through.

🔑WebAuthn Passkey (FIDO2)
Standards-based biometric authentication using device-native hardware. Private keys never leave the user's device. Immune to phishing by design.
📱Device Fingerprinting
80+ device signals combined into a unique fingerprint — hardware ID, browser entropy, GPU renderer, and sensor data. Silent, zero-UX check on every request.
🤖AI Fraud Detection
Trained on 100M+ authentication events. Detects bot farms, credential stuffing, velocity attacks, and impossible travel patterns in real-time.
Trust Score Engine
Dynamic 0-100 trust score per session. Factors: device recognition, location history, behavioral biometrics, and anomaly delta. Configurable thresholds.
🔢Number-Match Challenge
Every remote approval includes a numeric challenge the user must select on their trusted device. Defeats push-bombing, MFA-fatigue, and social-engineering approval fraud — the attacker can't predict the digit.
🧾Signed Approval Tokens (OTK)
Session-bound, tenant-scoped, one-time approval tokens. Metadata is canonicalized and HMAC'd before signing — tampering with amount, recipient or reason invalidates the token. Backend SDK verifies everything in one call.
📡Real-Time SSE Revocation
Session state is streamed over Server-Sent Events and Redis Pub/Sub. Revoke from dashboard or user app → every node and every SDK drops the session in <100ms. No stale JWT window.
🤖 AI Threat Detection99.7%
📱 Device Fingerprint98.4%
⭐ Trust Score Precision97.1%
🛡️ False Positive Rate0.03%
🛡️
🤖
🔑
🔐
🌍
Why RAuth

RAuth vs. the
alternatives

Feature Passwords SMS OTP ⚡ RAuth
Phishing Resistant
SIM-Swap Proof
Zero Password Storage~
Passwordless UX~
AI Fraud Detection
Device Fingerprinting
WhatsApp Delivery
GDPR / SOC 2 Ready~~
Trusted Device as Authenticator
Signed Reason-Based Approvals (OTK)
Number-Match Anti-Phishing
Real-Time Session Revocation (SSE)
Multi-Tenant WhatsApp Business
Dual KYC (Tenant + End-User)
SDK Integration TimeDaysHours15 min
Auth Time~8s~30s~1.2s
Pricing

Simple, transparent
pricing.

Monthly Annual Save 20%
Free
$0/mo
Perfect for side projects and exploring RAuth.
500 authentications/mo
WhatsApp OTP
Basic dashboard
Community support
Passkey / Reverse SMS
AI fraud detection
SLA guarantee
Enterprise
Custom
For scale-ups and enterprises needing custom SLAs and dedicated infrastructure.
Unlimited authentications
Dedicated infrastructure
Custom SLA (up to 99.99%)
SSO / SAML / OIDC
On-premise option
Audit logs & compliance
Dedicated account manager
24/7 phone support
Use Cases

Built for every
industry.

🏦
Fintech & Banking
Replace OTPs for fund transfers, KYC re-auth, and high-risk transactions. PCI DSS compliant out of the box.
PCI DSSKYC
💻
SaaS Products
Reduce login drop-off by 60%. Frictionless auth for B2B and B2C SaaS with team SSO support and audit logging.
SSOB2B
🛒
E-Commerce
One-tap checkout login. Reduce cart abandonment with WhatsApp-based express auth. Works on feature phones too.
CheckoutMobile
🏛️
Government & Public
Citizen portal authentication with Aadhaar-linked OneID. Accessible to rural India via Reverse SMS on any phone.
AadhaarInclusive
Mobile-First Auth

Auth that works
everywhere.

From flagship smartphones to ₹999 feature phones — RAuth reaches every user.

💬
WhatsApp Deep Linking
Tap to open WhatsApp directly with pre-filled OTP — no copy-paste. Works across iOS and Android.
📲
Reverse SMS (No Data Needed)
User sends a blank SMS — we auto-verify in background. Works on 2G with zero internet on user's side.
🔄
Cross-Device Session Sync
Start login on mobile, complete on desktop. Session persists securely across devices using cryptographic binding.
🌐
140+ Country Support
WhatsApp Business API coverage across 140+ countries. Local phone number validation and region-specific compliance.
⚡ RAuth
Tap to verify
Your RAuth code:
7 4 2 9 1 6
Valid 60s · Never share
✅ Verified in 1.1s
Cross-Device Sync
📱 Mobile session started
Device fingerprint: Matched ✓
💻 Desktop session synced
Trust score: 94/100 ✓
✅ Both devices authenticated
Recognition

Backed by the
best.

🇮🇳
Startup India
DPIIT Recognized
🪟
Microsoft for Startups
Founders Hub Member
🌐
Google for Startups
Cloud Partner
📚
Skill India
Digital India Initiative
🚀
Y Combinator
W24 Cohort
0
Authentications / month
0%
Uptime SLA
0+
Countries supported
0
Fraud attempts blocked
Product Ecosystem

One platform.
Three products.

🔗
Truelink
Verified link-sharing platform. Every URL is authentic, traceable, and tamper-proof. Built for enterprises sharing sensitive documents.
Learn more →
💉
VaccineIT
Digital health credential management. Verify vaccination records instantly across borders with cryptographic proof and zero data exposure.
Learn more →
RAuth + OneID
The authentication layer + a consumer identity app. Every tenant app becomes a trusted authenticator, and power users carry one OneID across the whole ecosystem.
Get access →

Stop building auth.
Start shipping product.

RAuth handles the complexity. You focus on what matters.

About Us

Built by security
obsessives.

We started RAuth because we were tired of the status quo.

Passwords are a 40-year-old technology protecting a 21st-century world. Our team of ex-Google, ex-Microsoft, and security researchers built RAuth to make passwordless the default.

0
Auths / month
0%
Uptime SLA
0s
Avg auth time
0+
Countries
👨‍💻
Aryan Mehta
CEO & Co-founder · ex-Google Security
👩‍🔬
Priya Krishnan
CTO · ex-Microsoft Azure Identity
👨‍🎨
Daniel Osei
Head of Design · ex-Figma
🧠
Dr. Lin Wei
AI Research Lead · PhD, MIT CSAIL
🚀 Backed by
Sequoia, Y Combinator W24
$4.2M Seed Round
FAQ

Frequently asked
questions.

No separate app is required. The first device on which a user successfully authenticates (via WhatsApp, Reverse SMS or OneID) is automatically enrolled as a Trusted Device. That same tenant app now acts as a FIDO-grade authenticator for all future new-device logins, passkey registrations and reason-based approvals. If the user does install our standalone OneID app, it becomes the primary authenticator and the tenant app becomes a fallback — both paths are first-class.
An OTK is a server-issued, session-bound, one-time approval token for sensitive actions (payments, refunds, account deletion, data export). When you call initApproval, we canonicalize the metadata (amount, recipient, reason…), HMAC it with your tenant secret, and bind the token to session_id + tenant_id + approval_id. The user sees the actual amount and recipient on their trusted device — not a vague "Approve?" prompt — and confirms with biometric + number match. Your backend verifies the token with one SDK call and the metadata hash detects any tampering before execution.
Traditional push-notification MFA just asks "Approve login?" — attackers spam users until one taps yes (MFA-fatigue / push-bombing). RAuth shows a 2-digit number on the requesting device and a 3×3 grid on the trusted device; the user must select the matching number. An attacker initiating the login has no way to predict or see the number, and a confused user can't just reflex-tap "Approve". It's the same model Microsoft Authenticator uses — we build it in by default for every sensitive approval.
Yes. RAuth uses Server-Sent Events plus Redis Pub/Sub to stream session state changes to every backend node and every SDK instance. When you call revokeSession (or a user revokes from their account dashboard), the event reaches your servers in under 100 ms — no polling, no JWT-expiry window. Our SDKs drop the session immediately and the next request from that token fails with session_revoked.
RAuth uses the official WhatsApp Business API to send a one-time 6-digit code directly to the user's WhatsApp. The message is end-to-end encrypted by WhatsApp itself. Our system generates a cryptographically secure OTP, stores its hash, and verifies it on submission — the plaintext OTP is never stored. Multi-tenant tenants can connect their own WABA and send under their own brand.
The user sends a blank or pre-filled SMS to our dedicated number from their registered phone. We verify the sender's number automatically in the background — zero OTP entry needed. Works on any phone, even 2G devices with no internet. Perfect for India's rural and semi-urban markets.
Yes. RAuth is SOC 2 Type II certified, GDPR compliant, and HIPAA-ready. We follow a zero-knowledge architecture — we never store plaintext credentials or OTPs. Data residency options available for EU and India (RBI compliance). DPA agreements available for enterprise customers.
Most developers are live in under 15 minutes using our SDK. Install with npm or pip, initialize with your API key, and call createSession() — that's it. We have pre-built UI components for React, Vue, and Flutter if you want zero custom UI work.
Every authentication request gets a real-time trust score (0-100) based on device fingerprint, IP reputation, login velocity, behavioral biometrics, and historical patterns. You can configure thresholds — e.g., require 2FA for scores below 70. The model is trained on 100M+ auth events.
Absolutely. RAuth offers a migration path — you can add passwordless as a second factor first, then progressively roll out full passwordless. Our SDK supports gradual rollout with feature flags, so you can enable it for 1%, 10%, or 100% of users. No forced migration required.
Yes — multi-tenant support is available on Pro and Enterprise plans. Each tenant gets isolated authentication flows, separate analytics, and configurable branding. B2B SaaS products can white-label the auth flow with their own logo and domain. JWT claims include tenant context.
RAuth has automatic fallback routing. If WhatsApp is unavailable, sessions automatically fall back to Reverse SMS, then to email OTP. You can configure fallback priority per user segment. In 2024, our WhatsApp delivery uptime was 99.96% — significantly higher than SMS.

Get Early Access

Join 3,000+ developers in the queue. First 100 get free tier forever.

Contact & Support

Let's build
the future
together.

Our team responds within a few hours. Have a demo request? We'll set it up same day.

📧
💬
WhatsApp
+91 96442 82947
🔒
📍
HQ
Zara Palace, 5th Floor, Opp Water Tank, Ashoka Hospital, Vinay Nagar, Wadala, Nashik, Maharashtra 422009
SOC 2 Type IIGDPRHIPAAISO 27001PCI DSSRBI Compliant