Usage-based authentication. Drop-in OAuth, JWT & passkeys.
The Auth0, Clerk & Stytch alternative built for devs who hate per-seat pricing. OAuth 2.0, JWT, SSO, passwordless, and WebAuthn passkeys — first-class SDKs for Flutter, .NET & web. Pay only for active users.
One handshake, every Stack
Standard OAuth 2.0 with PKCE. No proprietary protocol, no client secret in your binary. Drop in the SDK or wire it by hand.
Client requests
Your app calls the AuthStack SDK or hits /authorize directly.
GET /oauth/authorize?
client_id=as_live_•••
redirect_uri=app://cb AuthStack verifies
We handle sign-in, MFA, provider exchange — issue scoped tokens.
// 302 redirect back
?code="ax_oNc7…"
&state="<nonce>" Your API trusts
Exchange the code, validate the JWT, you have a verified user.
Authorization:
Bearer eyJhbGciOi…
// signed by AuthStack Drop in, ship today
First-party SDKs for the platforms VooStack ships on. Or skip the SDK — it's standard OAuth 2.0 + JWT, every step of the way.
import 'package:voo_authstack_client/voo_authstack_client.dart';
final client = AuthStackClient(
clientId: 'as_live_•••',
baseUrl: 'https://app.authstack.voostack.com',
);
final session = await client.signInWithProvider(
OAuthProvider.google,
);
context.go('/dashboard', extra: session.user); Read the Flutter SDK guide → using AuthStack.Client;
var client = new AuthStackClient(new AuthStackOptions
{
ClientId = "as_live_•••",
BaseUrl = "https://app.authstack.voostack.com",
});
var session = await client.ExchangeCodeAsync(code, redirectUri);
HttpContext.User = session.Principal; Read the .NET SDK guide → # 1. send the user to /authorize
open "https://app.authstack.voostack.com/oauth/authorize?\
client_id=as_live_•••&\
response_type=code&\
redirect_uri=https://your.app/callback"
# 2. exchange the code for a JWT
curl -X POST https://app.authstack.voostack.com/oauth/token \
-d 'grant_type=authorization_code' \
-d 'code=ax_oNc7…' \
-d 'client_id=as_live_•••' Read the REST API reference → Five OAuth providers, one client
Configure provider credentials once at the org level. Scope which providers are enabled per application. No code changes to add or remove.
Everything an auth layer should be
No half-features. Each piece is production-ready on day one, with the boring parts (rotation, replay protection, rate limits) handled.
OAuth 2.0 + PKCE
Standards-compliant authorization code flow with PKCE for public clients. No custom protocols, no SDK lock-in.
JWT tokens
Signed access and refresh tokens. Configurable expiry, scope-based claims, and key rotation handled for you.
Hosted sign-in
A polished login surface that adopts your brand colors and logo per application. Customers stay in your visual world.
Org & app model
Organizations own applications, applications own users. Role-based access for owners, admins, members, viewers.
Audit trail
Every sign-in, every secret rotation, every config change is logged with actor, target, and outcome.
Webhooks
Subscribe to user.created, session.revoked, application.* events. HMAC-signed payloads, retry with backoff.
MAU-based authentication pricing — no seats, no tiers
The Auth0 / Clerk / Stytch alternative for teams tired of per-seat bills. 1,000 monthly active users free every month — after that, a flat per-MAU rate. Pay for actual sign-ins, not for sales reps you never hired.
Built like a vault, from day one
Every default is the cautious one. The boring, well-studied primitives — not a clever in-house cipher anywhere in sight.
bcrypt @ cost 12, per-user salt, peppered server-side.
JWT RS256 with rotating 4096-bit keys, 15-min access TTL.
Per-IP and per-account throttles on /token and /authorize.
Every state change is logged with actor, target, outcome, ip.
TLS 1.3 only. HSTS preloaded. No HTTP fallback, ever.
Nonces on every code exchange. Authorization codes single-use.
Start in two minutes.
Sign up, create an application, drop a client ID into your SDK. That's the whole onboarding. No sales call required.