Authorization Code Flow
Standard OAuth2 for web applications, with PKCE support for public clients. Secure redirect-based authentication.
Single sign-on for every application
AuthLayer is a multi-tenant identity provider built on OAuth2 and OpenID Connect. Add "Sign in with AuthLayer" to any application in minutes — manage your organisation's users, apps, and permissions from one dashboard.
Free for development · Standards-based OAuth2 + OIDC · Your users, your data
Standards-based SSO that works with any application — web, mobile, or API. Set up in minutes, not months.
Standard OAuth2 for web applications, with PKCE support for public clients. Secure redirect-based authentication.
Service-to-service authentication without user interaction. Ideal for backend integrations and microservices.
ID tokens with standard claims — sub, email, name, and more. Full OIDC Discovery and UserInfo endpoints.
Resource servers can verify tokens in real-time without shared secrets. RFC 7662 compliant.
Register applications, manage client secrets, configure redirect URIs — all from a clean, intuitive portal.
Every organisation is its own isolated directory. Manage users, roles, and applications per tenant — like Active Directory in the cloud.
Fine-grained OAuth scopes control what each application can access. Members, developers, and administrators get different capabilities.
Publish your public keys at a well-known endpoint. Resource servers verify JWTs without calling back to AuthLayer.
Native integration with SupportLayer and ProjectLayer. One identity across all your tools — or use it standalone with any app.
Create an organisation, then register your app in the developer dashboard. You'll get a client_id and client_secret instantly.
Send users to the /oauth/authorize endpoint. They sign in once and approve your app. AuthLayer handles the rest.
Your backend calls /oauth/token with the authorization code. You get an access token and an optional ID token with user claims.
One rate. No tiers. No per-connection fees. Calculate your bill in your head, not a spreadsheet.
For side projects and validation. No credit card required.
Get started freePay only for what you use. No base fee. Scales with your growth.
For teams that need compliance, SLAs, and dedicated support.
Talk to salesPasswords hashed with bcrypt/argon2 — industry-standard adaptive hashing that resists brute force.
All endpoints enforce HTTPS. Tokens are never transmitted in the clear.
Access tokens expire in one hour. Refresh tokens rotate on every use. Compromised tokens have a short blast radius.
Proof Key for Code Exchange prevents authorization code interception on mobile and SPA applications.
Login, registration, and token endpoints are rate-limited to prevent credential stuffing and abuse.
Organisation administrators can require multi-factor authentication for all members. Optional by default, mandatory when you need it.
AuthLayer is a multi-tenant OAuth2 and OpenID Connect identity provider. It lets organisations manage users and register applications for single sign-on — similar to Azure AD or Auth0, but built for the Layer ecosystem.
Register your app in the AuthLayer dashboard to get a client_id and client_secret. Then implement the standard OAuth2 Authorization Code flow — any OAuth2 library in any language will work.
Yes. The free plan includes up to 5 user seats per organisation and unlimited OAuth applications. The Pro plan adds more seats and advanced features.
OAuth 2.0 (RFC 6749), OpenID Connect Core, PKCE (RFC 7636), Token Introspection (RFC 7662), and JSON Web Key Sets (RFC 7517).
Absolutely. AuthLayer is a standards-based SSO provider. Any application that supports OAuth2 or OpenID Connect can use it — regardless of language, framework, or platform.
Each organisation is a separate tenant with its own user directory, roles, and OAuth applications. Users can belong to multiple organisations and switch between them.