Access-first authentication infrastructure for secure, real-time authorization using QR flows and device-bound cryptographic keys.
- Device-bound cryptographic authentication
- Challenge-response verification for every access request
- Short-lived, single-use authorization challenges
- Secure local storage for sensitive data
- Server-side verification of all authorization decisions
- A short-lived authorization request is created by the service
- The request is delivered to the mobile app (QR or mobile flow)
- The user explicitly approves or denies the request
- The device signs a unique challenge using a secure key
- The backend verifies the signature before granting access
This repository is publicly available to support transparency and independent technical review.
It enables developers, security engineers, and partners to:
- inspect the architecture
- understand the authorization flow
- evaluate the security model in practice
The Toqen.app mobile app participates in authorization flows by:
- scanning and processing authorization requests
- performing device-bound cryptographic operations
- confirming user intent
- securely storing device secrets
All authorization decisions are enforced by the backend. The mobile application does not act as a source of truth.
- System overview
- Architecture
- Authorization flows
- QR request format
- Security model
- Secure storage
- API contracts
- Threat model
- Build and release
- Security policy
Building continues.
This repository is source-available.
Access to the source code is provided for review and evaluation. Usage, redistribution, modification, and production deployment are governed by the license in this repository.