Every authentication flow starts with a client. Each client defines its own login roles, 2FA rules, password policies, session limits, and token TTLs. The same guard pipeline verifies every request — whether it's a mobile login, a token refresh, or a server-to-server call.
An API client is not just credentials — it's a complete security profile. Each client defines which roles can log in, whether PoP is required, how many devices a user can have, what attestation mode to use, and what happens when limits are exceeded. Mobile, desktop, headless, server, licensed, developer — each platform type has its own security surface.
1{2 "client_id": "esc_a1b2c3d4e5f6_9f8e7d6c",3 "client_name": "Mobile Consumer",4 "platform": "mobile",5 "status": "active",6
7 "login_roles": ["customer"],8 "endpoint_scopes": ["enravo/v1/auth/*", "enravo/v1/account/*"],9 "ip_allowlist": [],10
11 "require_pop": true,12 "require_attestation": true,13 "max_apps_per_client": 10000,14 "max_devices_per_app": 3,15 "on_device_limit": "replace_oldest",16
17 "access_token_ttl": 900,18 "refresh_token_ttl": 2592000,19
20 "2fa_login": {21 "enabled": true,22 "channels": ["sms", "email"],23 "code_length": 6,24 "max_attempts": 5,25 "ttl": 30026 },27
28 "password_policy": {29 "min_length": 8,30 "require_uppercase": true,31 "require_digit": true,32 "require_symbol": false33 }34}From credentials to issued tokens. Eight security checks before a token is generated. 2FA is enforced when the client policy requires it.
PoP Verify
Signature verified via AuthContext — app status, license, and ban check
Rate Limit
Dual-key: 5/min per IP + 10/min per username. 15-minute lockout on exceed
Authenticate
Credentials verified against stored hash. User looked up by email, phone, or username
Role Check
User's role matched against client's allowed login roles
2FA Decision
Client policy checked — if 2FA required, returns pending_token for OTP flow
Issue Tokens
JWT access + refresh token generated. Device created or validated. Session initialized
PoP Verify
Signature verified via AuthContext — app status, license, and ban check
Rate Limit
Dual-key: 5/min per IP + 10/min per username. 15-minute lockout on exceed
Authenticate
Credentials verified against stored hash. User looked up by email, phone, or username
Role Check
User's role matched against client's allowed login roles
2FA Decision
Client policy checked — if 2FA required, returns pending_token for OTP flow
Issue Tokens
JWT access + refresh token generated. Device created or validated. Session initialized
From issuance to revocation — every token is device-bound, individually revocable, and verified on every request.
Short-lived (default 15 min, configurable per client). Carries user_id, email, device_id. Algorithm: HS256. Verified on every request by the guard pipeline.
Long-lived (default 30 days). Stored server-side with device binding — can't be used from a different app. Individually revocable. Rate limited: 10/min per IP.
Refresh tokens linked to device_id. On refresh, app chain verified: JWT's device → device's app_id must match PoP's app_id. Cross-device theft prevented.
Single device: status → logged_out + all refresh tokens revoked. Logout-all: every device for the user. Session destroyed. Takes effect instantly via blacklist.
5 scenarios: login, registration, password reset, password change, account verify. Per-client config: enabled, channels (SMS/email), code length (4-12), max attempts, cooldown between sends.
Per-client: min/max length (8-128), require uppercase, lowercase, digit, symbol. Enforced on registration and password change. Policy violations returned as specific error codes.
Every login, logout, enrollment, and block — tracked per client, per device, in real-time.
Active Sessions
247
Today Logins
1,284
Blocked
3
Registration can require phone or email verification before the user account is created. The flow adapts based on client config — OTP required, OTP optional, or direct registration. Rate limited: 5 per 15 minutes per IP.