Authentication + OAuth Worker

Full identity platform, built in-house

Email, OAuth, Magic Links, WhatsApp OTP, SMS OTP, MFA — plus a complete OAuth Worker that turns zMesh into your Identity Provider with OIDC, PKCE, RBAC, and hosted login. Like Auth0, but built into your BaaS.

Start Building Read Docs

auth.ts

// Email + Password sign up
const { user, session } = await zm.auth.signUp({
  email: 'user@example.com',
  password: 'securePassword123',
  metadata: { name: 'John Doe', role: 'admin' }
})

// OAuth login (Google, GitHub)
await zm.auth.signIn({
  provider: 'google',
  redirectTo: '/dashboard'
})

// Magic Link (passwordless)
await zm.auth.sendMagicLink({
  email: 'user@example.com',
  redirectTo: '/dashboard'
})

// WhatsApp OTP
await zm.auth.sendOTP({
  phone: '+91-9876543210',
  channel: 'whatsapp'  // or 'sms'
})

// OIDC — Use zMesh as Identity Provider
// Your app → GET /oauth/authorize?client_id=...&
//   response_type=code&code_challenge=...
// Supports: authorization_code, refresh_token,
//   client_credentials + PKCE (S256)

// Verify JWT with RBAC
const { user, roles } = await zm.auth.verify(token)
// { sub: "usr_a1b2c3", roles: ["admin"], permissions: ["read", "write"] }

8 Auth Methods

Every way to authenticate

Email, social login, passwordless, OTP, MFA, and full OAuth provider — all built-in, no third-party services.

Email / Password

Classic auth with verification & reset

Built-in

Google OAuth

One-click Google social login

Built-in

GitHub OAuth

Developer-friendly GitHub login

Built-in

Magic Links

Passwordless email authentication

Built-in

WhatsApp OTP

OTP via WhatsApp (Meta Business)

Built-in

SMS OTP

OTP via Twilio, MSG91, 2Factor

Built-in

MFA / TOTP

Authenticator app 2FA (Google Auth, etc.)

Built-in

OIDC Provider

Use zMesh as your Auth0 replacement

Exclusive

OAuth Worker — your own Auth0

zMesh isn't just an auth consumer. It's a full-blown Identity Provider with OIDC discovery, PKCE, and RBAC — so other apps can 'Sign in with zMesh'.

Identity Provider (IdP)

zMesh acts as a complete OAuth 2.0 / OIDC provider. Other apps can use 'Sign in with zMesh' — just like Auth0 or Okta.

OIDC Discovery & JWKS

Full .well-known/openid-configuration and JWKS endpoints. Any OIDC-compliant client can integrate with your zMesh project.

PKCE Support (S256)

Proof Key for Code Exchange for secure mobile and SPA authentication. Supports both S256 and plain challenge methods.

RBAC in JWTs

Roles and permissions are automatically injected into every JWT. Define admin, editor, viewer — or custom roles per project.

3 Grant Types

authorization_code for web apps, refresh_token for seamless re-auth, client_credentials for server-to-server — all supported.

Hosted Login Pages

Built-in branded login pages per project. No need to build your own login UI — configure and go.

OAuth Worker Flow

Sign in with zMesh

Watch how the OAuth Worker handles the full authorization code flow with PKCE — from redirect to token exchange, complete with RBAC-enriched JWTs.

Full OIDC-compliant authorization server

PKCE (S256) for mobile & SPA security

Roles & permissions injected in JWTs

JWKS endpoint for token verification

authorization_code + refresh_token + client_credentials

OAuth Worker — Identity Provider

Like Auth0

Discovery

/.well-known/openid-configuration

JWKS

/.well-known/jwks.json

Authorize

/oauth/authorize

Token

/oauth/token

REDIRECT

Your app redirects to zMesh authorize endpoint

AUTHENTICATE

zMesh shows hosted login (email, OAuth, OTP)

PKCE VERIFY

PKCE code_challenge verified (S256)

AUTH CODE

Authorization code issued

TOKEN EXCHANGE

Token exchange — access + refresh + id_token

COMPLETE

JWT with roles & permissions returned ✓

authorization_coderefresh_tokenclient_credentialsPKCE (S256)

Features

Production-ready auth system

Every auth feature you need — social login, passwordless, OTP, MFA, RBAC, sessions — all built in from day one.

Email & Password

Classic auth with email verification, password reset, account recovery, and configurable password policies.

Google & GitHub OAuth

One-click social login with automatic user creation. OAuth state signing and CSRF protection built-in.

Magic Links

Passwordless email authentication. Send a secure link — user clicks it, they're logged in. Zero friction.

WhatsApp OTP

Send OTP via WhatsApp using Meta Business API. India-first, works beautifully on Indian phone numbers.

SMS OTP

OTP via Twilio, MSG91, or 2Factor. Multiple provider support with automatic fallback.

Multi-Factor Auth (TOTP)

TOTP-based MFA compatible with Google Authenticator, Authy, and any authenticator app. Enable per-user or enforce org-wide.

Role-Based Access Control

Define roles (admin, editor, viewer) and permissions. RBAC is injected directly into JWTs for zero-latency authorization checks.

JWT with Refresh Tokens

Secure JWT sessions with configurable expiry. Refresh tokens for seamless re-authentication without re-login.

User Management Dashboard

View, search, disable, delete users. Assign roles, metadata, and see auth methods per user from the dashboard.

Auth Methods8

MAU (Free)50K

OTP Providers4+

Grant Types3

Token Verify<2ms

How It Works

From zero to auth in 4 steps

Configure providers, add sign-in, protect routes, use as IdP.

Configure auth methods

Enable email, Google, GitHub, Magic Links, WhatsApp OTP, SMS OTP, and MFA from the dashboard. Set redirect URLs, branding, and RBAC roles.

Add sign-in to your app

Use pre-built hosted login pages or build custom forms with the SDK. All 8 auth methods — one unified API.

Protect your routes

Verify JWT tokens server-side with one line. RBAC roles and permissions are embedded in every token. Row-level security for database queries.

Use as Identity Provider

Enable the OAuth Worker to let other apps 'Sign in with zMesh'. Full OIDC, PKCE, and JWKS — your own Auth0.

Auth Flow Visualizer

See how auth works, step by step

Watch the complete authentication flow — from user sign-in to JWT generation with RBAC roles. Every step is secure by default.

Credentials validated server-side

RBAC roles injected into JWT

Sessions stored securely

Auto-refresh on token expiry

MFA verification when enabled

Auth Flow

SIMULATING

Client App

zMesh Auth

JWT + RBAC

Session Store

Step 1 / 5

User clicks Sign In

Active Sessions

4 active

alice@acme.io

Chrome / macOS·Google OAuth

admin

2 min ago

bob@acme.io

Safari / iOS·Magic Link

editor

5 min ago

+91-98765xxxxx

Chrome / Android·WhatsApp OTP

viewer

8 min ago

eve@acme.io

Firefox / Windows·Email + MFA

admin

12 min ago

JWT Token with RBAC (decoded)

{
  "sub": "usr_a1b2c3",
  "email": "alice@acme.io",
  "roles": ["admin"],
  "permissions": ["read", "write", "delete"],
  "mfa_verified": true,
  "exp": 1743033600
}

Session Management

Monitor every session in real-time

See active sessions with auth method, device, role, and session status. RBAC-enriched JWT tokens show roles and permissions per user. Revoke sessions instantly.

Real-time session monitoring

Auth method per session (OAuth, OTP, Magic Link)

RBAC roles visible per user

Device & IP tracking

One-click session revoke

Decoded JWT with roles & permissions

FREE TIER INCLUDED

Full identity platform, zero config

Free tier includes 50K MAU with all 8 auth methods. OAuth Worker included on all plans.

Start Free Documentation