toaweb.com/apps/auth
au
toa://auth
auth.toaweb.com
200 OKSecurity

Headless user management and RBAC

toa://auth solves the problem of building auth from scratch in every new app. Instead of duplicating user models, password hashing, and session logic across toa://blog, toa://wowchar and future apps, auth is extracted into one dedicated service. Every toa:// app becomes a client — verifying JWT tokens against toa://auth via a shared API key. The philosophy is privacy by default: collect only what is technically necessary, hash IPs, encrypt emails at rest, and provide full GDPR-compliant data export and deletion.

→ coming soongithub
VERSIONv1.0.0
STATUS200 OK
UPDATED8 Apr 2026
CATEGORYSecurity
SELF-HOSTEDYes
DOMAINauth.toaweb.com
FEATURES
JWT + Refresh token rotation
Access tokens expire after 15 minutes. Refresh tokens rotate on every use — reuse of an old refresh token triggers automatic revocation of all sessions (replay attack protection).
Argon2id password hashing
Uses pwdlib[argon2] — the memory-hard Argon2id algorithm. Parameters: 64MB memory, 3 iterations, 4 parallelism. Vastly stronger than bcrypt against GPU cracking.
Role-based access control (RBAC)
Roles are assigned per site, not globally. An editor on toa://games cannot access toa://blog. Sites register with toa://auth and define their own role sets.
Rate limiting + account lockout
Max 5 login attempts per IP per minute via slowapi. After 10 failed attempts the account locks for 15 minutes. Timing-safe comparisons prevent user enumeration.
Session manager
Users can see all active sessions with device, IP hash, and last-seen time. Individual sessions can be revoked, or all sessions revoked at once.
API key system
Service-to-service authentication via scoped API keys. Keys are displayed once, hashed in the database. Scopes: read:content, write:content, admin.
Audit trail
All auth events logged: login, logout, token refresh, failed attempts, password reset. IPs are SHA-256 hashed — never stored in plaintext. Logs anonymised after 90 days.
Privacy by default
Only username and password hash are required. Email is optional, AES-256 encrypted at rest, and only used for password reset. No names, no profile data, no tracking.
ROADMAP
Phase 1 — Core auth: register, login, JWT, refresh token rotation, logout
Phase 2 — Security layers: rate limiting, account lockout, audit log, IP hashing, email encryption
Phase 3 — RBAC: roles, user_site_roles, session manager, API key system, password reset
Phase 4 — Admin panel: user list, role assignment, session viewer, API key manager, audit log
Phase 5 — Integration: migrate toa://blog and toa://wowchar to use toa://auth
TECH STACK
Backend
FastAPI
Database
PostgreSQL 17
Password hashing
pwdlib[argon2]
Tokens
PyJWT 2.x
Rate limiting
slowapi
Email encryption
cryptography (AES-256)
Migrations
Alembic
Frontend
Nuxt 4 (admin panel)
Infra
Docker + Traefik
APP INFO
Status200 OK
Versionv1.0.0
Last updated8 Apr 2026
CategorySecurity
Features8
Self-hostedYes — Bergen, NO
OTHER APPS
toa://web · toaweb.com · Bergen, NO · Nuxt 4 · 2026