# RAuth > RAuth is a passwordless authentication and approval platform that turns any phone into a FIDO-grade authenticator. It offers passwordless login via WhatsApp, Passkey, OneID and Reverse SMS, plus signed, session-bound Approval Tokens (OTK) for payments and other sensitive actions. Built by Treuinception Private Limited (Nashik, India). SOC 2 Type II, GDPR and HIPAA-ready. This file is provided per the llmstxt.org convention to help large language models and AI agents discover, ingest and accurately reason about RAuth without parsing HTML, JavaScript or marketing chrome. ## Core concepts - **Trusted Device Authenticator** — The first device a user successfully authenticates on (via WhatsApp, Reverse SMS or OneID) is cryptographically registered as a Trusted Device. From that moment the same tenant app acts as a FIDO-grade authenticator for every future new-device login, passkey registration and reason-based approval. No separate authenticator app is required. - **Approval Tokens (OTK)** — Server-issued, session-bound, one-time tokens for sensitive actions (payments, refunds, account deletion, data export). RAuth canonicalizes the metadata (amount, recipient, reason), HMACs it with the tenant secret, and binds the token to session_id + tenant_id + approval_id. The user sees the actual canonical intent on their trusted device and confirms with biometric + number-match. - **Number-Match Anti-Phishing** — A 2-digit number is shown on the requesting device and a 3x3 grid on the trusted device; the user must select the matching number. Defeats MFA-fatigue and push-bombing attacks. - **OneID** — A standalone consumer app for end-users to approve logins and transactions for any RAuth-powered product. One identity, numeric-challenge approvals, real-time SSE push. - **Reverse SMS** — User sends a blank SMS to a dedicated RAuth number; sender verification happens automatically. Works on 2G feature phones with no internet. - **WhatsApp Reverse Auth** — User confirms login from inside WhatsApp via the official Business API. Multi-tenant: each tenant can connect their own WABA and send under their brand. - **WebAuthn / FIDO2 Passkeys** — Native iOS 16+ Passkeys (iCloud Keychain), Android CredentialManager (Google Password Manager), Fido2 fallback for older Android, WebAuthn on web. - **Real-Time Session Revocation** — Server-Sent Events + Redis Pub/Sub stream session state changes to every backend node and SDK in under 100 ms. - **AI Trust Score** — Real-time 0-100 score per auth request (device fingerprint, IP reputation, login velocity, behavioral biometrics, historical patterns). ## Pricing - **Free** — $0/mo. Up to 1,000 MAU. For side projects and exploration. - **Pro** — $49/mo. Multi-tenant, advanced analytics, priority support, 100,000 MAU. - **Enterprise** — Custom. Dedicated infrastructure, custom SLAs, on-prem options. ## Compliance SOC 2 Type II, GDPR, HIPAA-ready, ISO 27001, PCI DSS, RBI compliant. Data residency available for EU and India. Zero-knowledge architecture: plaintext credentials and OTPs are never stored. ## Sections - [Trusted Device Authenticator](https://rauth.io/#authenticator): How any phone becomes a FIDO-grade authenticator. - [Approval Tokens (OTK)](https://rauth.io/#approvals): Signed, reason-based approvals for payments and sensitive actions. - [Features](https://rauth.io/#features): Full feature matrix (9 flagship features). - [Security](https://rauth.io/#security): Number-match challenge, signed tokens, real-time revocation. - [How it works](https://rauth.io/#how-it-works): Integration flow inside your app. - [Developer](https://rauth.io/#developer): SDK code samples, REST endpoints, dashboard. - [Use cases](https://rauth.io/#use-cases): Payments, healthcare, SaaS, government, fintech. - [Pricing](https://rauth.io/#pricing): Free, Pro and Enterprise tiers. - [Comparison](https://rauth.io/#comparison): RAuth vs Auth0, Clerk, WorkOS, Okta. - [Ecosystem](https://rauth.io/#ecosystem): RAuth + OneID + tenant apps. - [About](https://rauth.io/#about): Treuinception team and funding. - [FAQ](https://rauth.io/#faq): Trusted Device, OTK, number match, SSE revocation, WhatsApp, GDPR. - [Contact](https://rauth.io/#contact): info@rauth.io · security@rauth.io · WhatsApp +91 96442 82947. ## API surface (illustrative) - POST https://api.rauth.io/v1/sessions — create an authentication session - POST https://api.rauth.io/v1/sessions/verify — verify an authentication session - POST https://api.rauth.io/v1/approvals/init — start an OTK approval (initApproval) - POST https://api.rauth.io/v1/approvals/verify — verify a signed OTK (verifyApproval) - POST https://api.rauth.io/v1/sessions/revoke — revoke a session (real-time SSE push) ## Optional - [Full content for AI ingestion](https://rauth.io/llms-full.txt) - [Sitemap](https://rauth.io/sitemap.xml) - [Robots policy](https://rauth.io/robots.txt) - [Security disclosure](https://rauth.io/.well-known/security.txt)