Every product we ship runs on Enravo Core. No exceptions.
2
Products shipping
1
Platform underneath
Modular
By design
0
Third-party auth
Modular components that work together — from data to security.
Register multiple API clients — each with its own credentials, login roles, attestation mode, IP allowlist, and endpoint scopes. Mobile, desktop, headless, server — all from one dashboard.
Max active devices per user. Block or replace mode when limits are exceeded. Every device tracked with platform info, IP history, and push tokens.
Every app instance follows a lifecycle: pending → active → revoked → banned. Auto-approval or admin review per client. Instant revocation.
Define your data model as a schema — CRUD endpoints, validation, permission scopes, and OpenAPI docs are generated automatically via UnifiedDriver.
8 default security policies. Per-endpoint auth type, PoP mode, rate limits, IP allowlists, and attestation requirements — all declarative.
40+ abilities organized by module. Wildcard matching (module/*), role-ability mappings, and per-client login role restrictions.
SaaS, mobile apps, API security, multi-client architectures — same core underneath.
Client isolation
Each API client gets its own credentials, login roles, rate limits, and security policies. Consumer app restricts to 'customer' role, admin app to 'administrator'.
Platform types
Mobile, desktop, headless web, server — each client type has its own attestation mode, package whitelist, and endpoint scopes.
Centralized management
Manage all clients, view active apps, monitor devices, and adjust policies from a single admin dashboard.
Multi-tenant isolation
Each tenant gets its own client configuration, role restrictions, and data scoping. One deployment serves multiple organizations.
Schema-driven APIs
Define your data model once — CRUD endpoints, validation, permissions, and docs generated automatically. Ship features faster.
Configurable security per tenant
Enterprise tenants can require PoP + attestation. Free-tier tenants use JWT-only. Same codebase, different policies.
Wrap existing APIs
Enravo Core's security layer sits in front of existing API endpoints. PoP verification, rate limiting, and audit — without rewriting the backend.
Guard pipeline
Up to six verification stages: JWT → Device → PoP → App Chain → Ability Check → Policy. Each stage configurable per client and endpoint — enable what you need.
Auto threat response
5 signature failures auto-block device. 3 attestation failures auto-block. 1 nonce replay triggers instant ban. Brute force → 15-minute IP lockout.
Device enrollment
Each device generates an ECDSA P-256 keypair on install. The public key is registered — sessions are cryptographically bound to hardware.
Device limits
Max active devices per user. Block mode rejects new logins. Replace mode auto-logs out the oldest device. Configurable per client.
App attestation
Play Integrity and App Attest verify the app is genuine and unmodified before any sensitive operation is allowed.
Enravo Core is the infrastructure behind every product we build. The Platform layer generates APIs from schemas, manages modules, and handles data. The Trust layer provides a configurable guard pipeline — up to six verification stages per endpoint — with device binding, PoP signing, and automatic threat response. Together, they form a single system.
/enravo/v1/auth/login1POST /enravo/v1/auth/login2Content-Type: application/json3X-Client-ID: mobile_consumer4X-Device-ID: dev_9f8e7d6c5X-PoP-Signature: eyJhbGciOiJFUzI1NiJ9...6
7{8 "username": "user@example.com",9 "password": "••••••••",10 "device_info": {11 "platform": "android",12 "app_version": "2.4.1"13 }14}Enravo Trust is the security layer built into Enravo Core. It provides a configurable guard pipeline — each client type and endpoint gets its own security policy. Mobile apps can require Play Integrity + PoP signing, while public APIs use lighter verification. Device binding, attestation, and auto-ban are all opt-in per policy.
| Traditional Stack | Enravo Core | |
|---|---|---|
| Authentication | Third-party auth provider. SDK integration, webhook sync, token format mismatches, vendor lock-in. | Built-in guard pipeline. JWT → Device → PoP → Ability Check — one system, zero dependencies. |
| Device Security | No concept of device management. Tokens work on any device, stolen credentials usable anywhere. | ECDSA P-256 keypairs per device. Sessions bound to hardware. Stolen tokens are worthless. |
| Access Control | Basic role strings. Manual endpoint mapping. No wildcard matching. Grows unmanageable at scale. | 40+ granular abilities. Wildcard matching (module/*). Per-client login role restrictions. |
| Threat Response | Separate WAF. Separate rate limiter. Separate logging. Three vendors, three dashboards, blind spots. | Automatic: 5 sig fails → device blocked. 1 nonce replay → instant ban. Built into the guard layer. |
| API Generation | Hand-write every endpoint. Manual validation. Manual OpenAPI specs. Months of boilerplate. | Define a schema. CRUD endpoints, validation, permissions, and docs generated automatically. |
| Audit Trail | Bolted-on logging service. Incomplete coverage. No correlation between auth events and API calls. | Every request logged — device, client, user, IP, endpoint, ability used, policy applied. |
Every request, device, and threat — tracked in real-time.
Requests / 24h
Guard Pass Rate
Active Devices
Threats Blocked
Client registration, guard pipeline status, device management — from the command line.
SDKs, infrastructure, and security integrations.
Android and JVM backend integration with PoP signing.
iOS integration with Keychain-backed ECDSA keypairs.
Language-agnostic API access. Any client that speaks HTTP.
Primary data store. Schema Engine maps directly to tables.
Session cache, rate limit counters, and nonce replay store.
Containerized deployment. Single image, all layers included.
Google Play app attestation for Android clients.
Apple DeviceCheck attestation for iOS clients.
Proof of Possession signing standard for all platforms.
Built with