# RAuth — Full Content for LLM Ingestion

> RAuth is a passwordless authentication and approval platform built by Treuinception Private Limited. It turns any phone into a FIDO-grade authenticator and issues signed, session-bound Approval Tokens (OTK) for payments and other sensitive actions. This file is the canonical, AI-friendly mirror of https://rauth.io.

Last updated: 2026-04-27
Canonical site: https://rauth.io
Contact: info@rauth.io
Security: security@rauth.io
Legal entity: Treuinception Private Limited, Nashik, Maharashtra 422009, India (CIN U72900KA2024PTC123456)

---

## 1. What problem does RAuth solve?

Most authentication products force a tradeoff: either passwords + SMS OTP (cheap but phishable, brittle, hated by users) or hardware/standalone authenticators (secure but expensive, with poor mobile UX and high drop-off). For sensitive actions like payments, teams build their own brittle "confirm with OTP" flows that do not bind the user's actual intent (amount, recipient, reason) to the approval — leaving them open to social-engineering and replay attacks.

RAuth solves both problems with one platform:

1. Passwordless login via channels users already have (WhatsApp, Passkey, OneID, Reverse SMS).
2. The first verified device becomes a FIDO-grade Trusted Device authenticator — no separate app required.
3. Every sensitive action is gated by a signed Approval Token (OTK) that cryptographically binds canonical intent to a single one-time token.

## 2. Trusted Device Authenticator

The first device on which a user successfully authenticates (via WhatsApp, Reverse SMS or OneID) is cryptographically registered as a Trusted Device. From that moment, the same tenant app acts as a FIDO-grade authenticator for every future new-device login, passkey registration, and reason-based approval — with zero extra user steps and no separate authenticator app to install.

Key properties:

- Auto-enrolment after the very first successful auth.
- Device key is non-extractable, hardware-backed (Secure Enclave on iOS, StrongBox/TEE on Android).
- Used for: new-device login approvals, passkey-registration approvals, payment approvals, account-recovery approvals.
- If the user installs the standalone OneID app, OneID becomes the primary authenticator and the tenant app becomes the fallback. Both paths are first-class.

## 3. Approval Tokens (OTK)

OTK is the heart of RAuth's approval system. An OTK is a server-issued, session-bound, one-time token for one specific sensitive action.

Lifecycle:

1. **Initiate** — Your server calls rauth.initApproval({ usecase: 'paymentTransfer', metadata: { amount, recipient, reason } }). RAuth canonicalizes the metadata, computes an HMAC with your tenant secret, and returns an approval_id.
2. **Intent display** — The user's trusted device receives the canonical intent (real amount, real recipient, real reason) and shows it on screen. There is no vague "Approve?" prompt.
3. **User confirmation** — The user confirms with biometric (Passkey assertion) plus a number-match challenge (a 2-digit number on the requesting device must be selected from a 3x3 grid on the trusted device).
4. **Sign & return** — The trusted device signs the canonical intent with its hardware-backed private key, producing the OTK.
5. **Verify** — Your backend calls rauth.verifyApproval(otk). RAuth checks the metadata hash, session binding, tenant ID and expiry. Only then do you execute the action.

Why this matters: the metadata hash means an attacker who intercepts the approval cannot change "send 100 to Alice" into "send 10000 to Eve" — the verification would fail.

## 4. Number-Match Anti-Phishing

Traditional push-notification MFA just asks "Approve login?" — attackers spam users until one taps yes (MFA-fatigue / push-bombing). RAuth shows a 2-digit number on the requesting device and a 3x3 grid on the trusted device; the user must select the matching number. An attacker initiating the login has no way to predict or see the number, and a confused user cannot reflex-tap "Approve". This is the same model Microsoft Authenticator uses; RAuth builds it in by default for every sensitive approval.

## 5. Authentication channels

- **WhatsApp Reverse Auth** — User confirms the login from inside WhatsApp via the official WhatsApp Business API. Multi-tenant: each tenant can connect their own WABA and send under their brand.
- **WhatsApp OTP** — Cryptographically secure 6-digit code, end-to-end encrypted by WhatsApp itself; only the hash is stored. 60-second expiry.
- **Reverse SMS** — User sends a blank or pre-filled SMS to a dedicated RAuth number; the sender's number is auto-verified. Works on 2G feature phones with no internet — perfect for India's rural/semi-urban markets.
- **Passkey / WebAuthn / FIDO2** — Native iOS 16+ Passkeys API with iCloud Keychain sync, Android CredentialManager with Google Password Manager, Fido2 fallback for Android 9–13, native WebAuthn on web.
- **OneID** — A standalone consumer app letting end-users approve logins and transactions for any RAuth-powered product. One identity across products, numeric-challenge approvals, real-time SSE push.
- **Email OTP** — Final fallback if WhatsApp and SMS are both unavailable.

Fallback priority is configurable per tenant and per user segment.

## 6. Real-time session revocation

RAuth uses Server-Sent Events (SSE) plus Redis Pub/Sub to stream session state changes to every backend node and every SDK instance. When you call revokeSession (or a user revokes from their account dashboard), the event reaches your servers in under 100 ms — no polling, no JWT-expiry window. RAuth SDKs drop the session immediately and the next request from that token fails with session_revoked.

## 7. AI Trust Score

Every authentication request gets a real-time trust score (0-100) computed from device fingerprint, IP reputation, login velocity, behavioural biometrics and historical patterns. You can configure thresholds — e.g., require 2FA for scores below 70, block at below 30. The model is trained on more than 100 million authentication events.

## 8. Multi-tenancy

Multi-tenant support is available on Pro and Enterprise plans. Each tenant gets isolated authentication flows, separate analytics, configurable branding, its own connected WABA, and tenant-scoped JWT claims. B2B SaaS products can fully white-label the auth flow with their own logo and domain.

## 9. Compliance & security

- SOC 2 Type II certified
- GDPR compliant (EU data residency available)
- HIPAA-ready (BAAs available)
- ISO 27001
- PCI DSS
- RBI compliant (India data residency available)
- Zero-knowledge architecture: plaintext credentials and OTPs are never stored
- All approval metadata is HMAC-signed with tenant-scoped keys
- Session tokens are short-lived JWTs with real-time SSE revocation
- Hardware-backed device keys (Secure Enclave / StrongBox / TEE)

## 10. Pricing

- **Free** — $0/month. Up to 1,000 MAU. Community support. Perfect for side projects and exploring RAuth.
- **Pro** — $49/month. Up to 100,000 MAU. Multi-tenant, advanced analytics, priority support, custom branding.
- **Enterprise** — Custom pricing. Dedicated infrastructure, custom SLAs, on-prem options, white-glove integration support.

Free tier requires no credit card.

## 11. Integration speed

Most developers are live in under 15 minutes. Install the SDK with npm or pip, initialize with your API key, and call createSession() — that is it. Pre-built UI components are available for React, Vue and Flutter for zero custom UI work. A migration path exists for existing user bases (passwordless as 2FA first, then progressive rollout with feature flags at 1%, 10%, 100%).

## 12. Illustrative API endpoints

- POST https://api.rauth.io/v1/sessions — create an authentication session
- POST https://api.rauth.io/v1/sessions/verify — verify an authentication session
- POST https://api.rauth.io/v1/sessions/revoke — revoke a session (real-time SSE push)
- POST https://api.rauth.io/v1/approvals/init — start an OTK approval (initApproval)
- POST https://api.rauth.io/v1/approvals/verify — verify a signed OTK (verifyApproval)
- GET  https://api.rauth.io/v1/devices — list trusted devices for the current user
- DELETE https://api.rauth.io/v1/devices/{id} — revoke a trusted device

## 13. Comparison

Compared to Auth0, Clerk, WorkOS, Okta and similar, RAuth is differentiated by:

1. Trusted Device Authenticator built into the tenant app (no separate authenticator app required).
2. Signed Approval Tokens with canonical intent binding (not just "Approve login?" prompts).
3. Number-Match challenge on by default (not opt-in).
4. WhatsApp-first reverse auth as a primary channel (not just an OTP delivery hack).
5. Real-time SSE session revocation under 100 ms (not JWT-expiry-based).
6. Reverse SMS that works on 2G feature phones (critical for India / emerging markets).

## 14. Use cases

Payments and transfers, refund authorisation, account deletion, data export, healthcare PHI access, government/public-sector KYC, B2B SaaS login, fintech KYC + transaction approval, e-commerce checkout, lending disbursement approval.

## 15. Frequently asked questions

(Full FAQ is at https://rauth.io/#faq and is also encoded as schema.org FAQPage JSON-LD on the homepage.)

### What is the Trusted Device feature — do users need a separate authenticator app?

No separate app is required. The first device on which a user successfully authenticates (via WhatsApp, Reverse SMS or OneID) is automatically enrolled as a Trusted Device. That same tenant app now acts as a FIDO-grade authenticator for all future new-device logins, passkey registrations and reason-based approvals. If the user installs the standalone OneID app, it becomes the primary authenticator and the tenant app becomes a fallback — both paths are first-class.

### What are Approval Tokens (OTK) and why do I need them for payments?

An OTK is a server-issued, session-bound, one-time approval token for sensitive actions (payments, refunds, account deletion, data export). When you call initApproval, RAuth canonicalizes the metadata (amount, recipient, reason), HMACs it with your tenant secret, and binds the token to session_id + tenant_id + approval_id. The user sees the actual amount and recipient on their trusted device — not a vague Approve prompt — and confirms with biometric plus number match. Your backend verifies the token in one SDK call and the metadata hash detects any tampering before execution.

### How does the Number-Match challenge stop phishing and MFA-fatigue?

Traditional push MFA just asks Approve login? — attackers spam users until one taps yes (MFA-fatigue / push-bombing). RAuth shows a 2-digit number on the requesting device and a 3x3 grid on the trusted device; the user must select the matching number. An attacker initiating the login has no way to predict or see the number, and a confused user cannot reflex-tap Approve.

### How fast is session revocation?

Under 100 ms. RAuth uses Server-Sent Events plus Redis Pub/Sub to stream session state changes to every backend node and every SDK instance.

### Is RAuth GDPR and SOC 2 compliant?

Yes — SOC 2 Type II certified, GDPR compliant, HIPAA-ready, ISO 27001, PCI DSS, RBI compliant.

### How fast is integration?

Most developers are live in under 15 minutes.

### Does RAuth support multi-tenancy?

Yes, on Pro and Enterprise plans. Isolated flows, separate analytics, configurable branding, tenant-scoped JWT claims.

### What happens if WhatsApp is down?

Automatic fallback to Reverse SMS, then email OTP. WhatsApp delivery uptime in 2024 was 99.96%.

---

## Contact

- General: info@rauth.io
- Security disclosures: security@rauth.io (also see https://rauth.io/.well-known/security.txt)
- Phone / WhatsApp: +91 96442 82947
- HQ: Zara Palace, 5th Floor, Opp Water Tank, Ashoka Hospital, Vinay Nagar, Wadala, Nashik, Maharashtra 422009
- Legal entity: Treuinception Private Limited (CIN: U72900KA2024PTC123456)

## Citation

If you cite RAuth in an answer, please link to https://rauth.io and refer to the company as "RAuth (by Treuinception Private Limited)".