Every Feature You Need.
Nothing You Don't.

ZenoAuth ships as a single binary with every capability built in. No plugins to install, no tiers to unlock, no surprise invoices.

NEW

Verifiable Credentials

The first lightweight, self-hosted IAM with native W3C Verifiable Credential support. Issue, verify, and revoke SD-JWT credentials in the same binary. No other self-hosted IAM platform offers both OID4VCI issuance and OID4VP verification.

SD-JWT Credential Issuance (OID4VCI 1.0)

Issue W3C Verifiable Credentials in SD-JWT format (RFC 9901) with selective disclosure. Users store credentials in their digital wallet and choose exactly which claims to reveal when presenting them — proving "I work at Acme Corp" without revealing their specific role.

  • Authorization code and pre-authorized issuance flows
  • ECDSA P-256 signing (OID4VC HAIP compliant)
  • Credential offer delivery via email and QR code
  • Configurable credential types with claims schemas
  • Bitstring Status List for privacy-preserving revocation
OID4VCI Pre-Authorized Flow
# 1. Admin creates credential offer POST /api/v1/credential-offers { "user_id": "usr_abc123", "credential_type_id": "employee_badge" } # 2. User scans QR or clicks email link # 3. Wallet exchanges pre-authorized code POST /oauth/token grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code # 4. Wallet receives SD-JWT VC POST /credentials { "format": "vc+sd-jwt" }
Credential Types management showing vc+sd-jwt formats, claims schemas, and active status
Issued Credentials table with active, revoked, and expired status badges
Trusted Issuers with DIDs, trust frameworks, and accepted credential types

Wallet-Based Authentication (OID4VP 1.0)

Accept Verifiable Presentations from digital wallets as a first-class login method. Validate cryptographic signatures, check credential status, verify the issuer against trusted registries, and map claims to user sessions and RBAC roles — all automatically.

SCIM-to-VC Pipeline

When HR provisions a user via SCIM, ZenoAuth automatically generates a credential offer. The user receives it via email or QR code, opens their wallet, and picks up a verifiable credential — zero manual intervention.

Multi-Tenant Issuance

Each organization gets its own issuer DID (did:web:domain:orgs:slug), signing keys, credential types, and trust registries. Full isolation in a shared deployment.

Credential-Augmented RBAC

Map credential claims to roles and permissions with a rules engine. Conditions like clearance_level >= secret grant roles automatically. Bridges organizational RBAC with cross-org credentials.

Cross-Org Federation

Invitation-based trust between ZenoAuth instances. Accept credentials from partner organizations without SAML configuration or OIDC federation setup — just trust their DID.

Standards: OID4VCI 1.0 · OID4VP 1.0 · SD-JWT (RFC 9901) · W3C VC Data Model 2.0 · Bitstring Status List · did:web · DCQL · Presentation Exchange 2.0

Authentication & Authorization

Standards-compliant identity protocols with modern security primitives.

OAuth 2.0 & OpenID Connect

Full standards implementation covering every production flow. Authorization code with PKCE, client credentials, device authorization, and refresh token rotation.

  • Pushed Authorization Requests (RFC 9126)
  • Dynamic Client Registration (RFC 7591)
  • Token introspection and revocation (RFC 7662 / 7009)
  • JWKS endpoint with automatic key rotation
  • OpenID Connect Discovery
OAuth client management showing registered applications, client IDs, and grant types

Multi-Factor Authentication

TOTP, WebAuthn/Passkeys (FIDO2), SMS and email OTP, magic link passwordless login. Group-level enforcement policies for compliance requirements.

External SSO Integration

Connect to existing identity providers via SAML 2.0 and OpenID Connect federation. Support for Google Workspace, Azure AD, Okta, and custom SAML/OIDC providers.

Hierarchical Role-Based Access Control

Fine-grained RBAC with role inheritance, custom permissions in resource:action format, and organization-scoped isolation. Assign roles to individual users or entire groups. Supports nested group membership with transitive permission resolution.

Enterprise Integration

Connect ZenoAuth to your existing infrastructure and identity ecosystem.

Bidirectional SCIM v2 Provisioning

Enterprise user and group provisioning that works in both directions. Receive users from Okta, Azure AD, and Google Workspace. Push users and group structures to Slack, ServiceNow, and other SCIM-compatible systems.

  • Nested groups with transitive membership resolution
  • Event-driven and scheduled bidirectional sync
  • Custom attribute mapping rules
  • RFC 7643/7644 compliant
  • Bulk operations for large-scale provisioning
User management showing accounts, roles, MFA status, and login history

LDAP/AD Sync

Synchronize users and groups from Active Directory and LDAP directories. Scheduled sync with conflict resolution and attribute mapping.

Custom Domains

Serve authentication flows from your own domain. Automatic TLS certificate provisioning and renewal. White-label login pages.

157+ API Endpoints

Comprehensive REST API for every operation. OpenAPI documentation, webhook notifications, and management SDKs for common languages.

Security & Compliance

Built for regulated industries and security-conscious organizations.

GDPR Compliance

Full data export and deletion with configurable grace periods. Consent management, data retention policies, and right-to-erasure workflows built in.

Break Glass Access

Emergency access procedures for critical situations. Audited override capabilities with mandatory justification and automatic escalation notifications.

MFA Group Enforcement

Require specific MFA methods for user groups. Enforce WebAuthn for admins, TOTP for regular users, or any combination that matches your security posture.

Rate Limiting & Brute Force Protection

Configurable rate limits per endpoint, IP-based throttling, and progressive delays. Automatic account lockout with configurable thresholds and cooldown periods.

Operations & Observability

Tools to run, monitor, and manage your identity infrastructure.

Admin Dashboard

A modern administration interface built with Next.js 15 and React 19. Manage users, OAuth clients, groups, scopes, SSO providers, and system configuration from a single responsive interface.

  • Real-time system health monitoring
  • User and client CRUD with search and filtering
  • Dark mode with accessible contrast ratios
  • Responsive design for tablet and desktop
ZenoAuth admin dashboard with system metrics, health indicators, and recent activity
Audit log viewer with severity badges, timestamps, and correlation IDs

Comprehensive Audit Logging

Every authentication event, configuration change, and admin action is logged with correlation IDs. Searchable, filterable, and exportable for compliance reporting and incident analysis.

Analytics dashboard with user activity charts and OAuth metrics

Analytics & Reporting

Track authentication patterns, user activity, token usage, and security events. Built-in charts and data export for integration with your existing monitoring stack.

Key Management

Automatic key rotation with configurable schedules. Grace periods for token validation during rotation. Emergency revocation for compromised keys.

Session Management

View and revoke active sessions across all users. Configurable session lifetimes, idle timeouts, and concurrent session limits per user or group.

Performance

11 MB binary, ~50 MB memory footprint. No garbage collection pauses. Handles thousands of concurrent authentications with sub-millisecond token validation.

SSO Provider Management

Configure and manage external identity providers from the admin interface. Support for SAML 2.0, OpenID Connect, Google Workspace, Azure AD, and custom providers. Test connections, view metadata, and monitor federation status in real time.

  • One-click provider setup for major IdPs
  • Attribute mapping and claim transformation
  • JIT (Just-In-Time) user provisioning
  • Federation metadata auto-refresh
SSO provider configuration showing connected identity providers and federation status

All Features. One Binary. One Price.

No feature gates, no per-user surcharges. Every capability ships with every deployment.

Start Free Trial Contact Sales