What is passwordless authentication?

Passwordless authentication lets users sign in without creating or remembering a password. Logintoo emails a one-time access code; entering the correct code proves the user controls that email address.

How does Logintoo sign users in?

Logintoo is an OAuth 2.0 Authorization Server with PKCE. Your site redirects the user to Logintoo, the user enters their email and the one-time code, and Logintoo returns an access token (a signed JWT) plus a rotating refresh token.

Which standards does Logintoo use?

Logintoo follows OAuth 2.0 (RFC 6749), Proof Key for Code Exchange / PKCE (RFC 7636), and JSON Web Tokens (RFC 7519).

Is Logintoo open source?

Yes. The authorization server and a sample application are open source and can be self-hosted on AWS using the AWS Cloud Development Kit.

Your web browser must have JavaScript enabled in order for this website to display correctly.

Open-source · OAuth 2.0 + PKCE

Passwordless authentication
for your website

Let people sign in with a one-time code emailed to them — no passwords to create, remember, store, or leak. Logintoo is an OAuth 2.0 authorization server you can self-host.

Try the live demo See how it works

How it works: for your users

Four steps, no password anywhere in sight.

1
A visitor taps Log in or Sign up on your site and is sent to the Logintoo authorization server, where they enter their email address.
2
Logintoo emails a one-time access code to that address.
3
The visitor enters the code. Logintoo verifies it — proving they control the inbox — and sends them back to your site with an access token.
4
Your site uses the token to grant access. The user has no password to remember, and you have none to store or protect.

How it works: under the hood

Standard OAuth 2.0 with PKCE — Logintoo just replaces the password with a one-time code.

RFC 6749 The OAuth 2.0 Authorization Framework RFC 7636 Proof Key for Code Exchange (PKCE) RFC 7519 JSON Web Token (JWT) RFC 9700 Best Current Practice for OAuth 2.0 Security

Reference architecture

Three components work together:

Your website

The OAuth 2.0 client. It can be a static / JAMstack site.

Your API

The resource server that serves user requests. It can be serverless with API Gateway and Lambda.

Logintoo

The OAuth 2.0 authorization server that authenticates users and issues access tokens. Open source — deploy your own on AWS.

The workflow

1
Your site (the client) requests an access token from the authorization server, following the OAuth 2.0 and PKCE exchange in RFC 6749 and RFC 7636.
2
The authorization server authenticates the user by emailing and validating a one-time code, then issues an access token.
3
Your site calls your API (the resource server), presenting the access token — a signed JWT.
4
The resource server validates the token and, if valid, serves the request.

The authorization server also issues and rotates refresh tokens, used to obtain a new access token when the current one expires. A single authorization server can issue tokens for many resource servers.

Open source

Read the code, file an issue, or self-host the whole stack. It lives on GitLab.

Authorization Server gitlab.com/logintoo/logintoo-authorization-server The OAuth 2.0 + PKCE server that emails one-time codes and issues JWTs. Deploys to AWS with the CDK. Sample App gitlab.com/logintoo/logintoo-sample-app A working client that redirects to Logintoo, receives tokens, and calls a protected API.

API reference Live demo

Why passwordless?

Passwords are the weak point attackers reach for first. Remove them, and a whole class of breaches goes with them — said better by the people who study it: