MTAS

Looks complex?
We handle it.

MTAS runs the OAuth dance, signs RS256 JWTs, rotates refresh tokens and isolates tenants — so your backend just verifies a token and gets on with shipping the product.

Register your appSign in to dashboard
YOUR APPOwns the cookie · validates JWT locallyMTASIssues codes, signs JWTs, rotates refresh tokensYour Frontendfetch('/api/…', { credentials: 'include' })Your Backend (BFF)🍪 HttpOnly cookie · sealed JWT✓ verify JWT · check audMTAS UISign in / Sign up screenstate echo · auth codeMTAS APIAuth broker · NestJSRS256 + JWKSRefresh rotation · replay detectionPostgreSQLusers · token families · codes123456789101112JWTdb
01/ 12
user clicks loginGET /auth/loginlogin flow
§ HOW TO USE IT

Three steps. That's the whole integration.

The SDK handles CSRF, JWKS verify, refresh dedup, cookie crypto. You write zero auth code.

1

Register your app

Sign up, claim an appId, whitelist your callback URL and frontend domain.

2

Install the SDK

npm install @davydko-mtas/express cookie-parser

3

Wire it up

createMtasAuth(config) returns a router + auth middleware. Mount it, and you're done.

§ KEY PROPERTIES

Security, baked in.

Nine guarantees the SDK enforces by default. You don't opt in. You can't accidentally opt out.

Tenant Isolation

Each registered app gets its own user pool. Users belong strictly to the tenant that registered them — never shared. The same email can exist under different tenants.

Stateless RS256 + JWKS

JWTs are signed with RS256 (asymmetric). Your backend fetches the public key from a standard JWKS endpoint once, then verifies every token locally — no per-request calls.

Refresh Rotation + Replay Detection

Refresh tokens rotate on every use and are grouped by family. Reusing a rotated token revokes the entire family — aligned with RFC 9700 §4.14.

Login CSRF Defense

Each login flow carries a random state stored in a cookie and validated on callback. Stops attackers from injecting their auth codes into a victim's session.

BFF + Encrypted Session

Tokens never reach the browser. Your backend exchanges the auth code server-to-server, seals both tokens into an HttpOnly iron-session cookie (AES-256-GCM), and refreshes them transparently.

Confidential Client Auth

Token endpoints require Basic base64(appId:appSecret) per RFC 6749 §6. Secrets are SHA-256 hashed at rest, shown once, and rotatable from the dashboard.

Audience-Bound Tokens

Each JWT carries an aud claim tied to your appId. Backends must validate it — a token issued for tenant A is rejected by tenant B.

Token Revocation

Logout calls RFC 7009 /revoke with the refresh token — the entire token family is soft-revoked at MTAS, killing every future refresh attempt.

Redirect URI Whitelist

Login attempts are rejected unless the redirect URI matches the client's whitelist exactly. Prevents open redirect attacks.

§ TECH STACK

What's under the hood.

API

Auth broker
  • NestJS 11 + TypeORM
  • JWT (RS256 / HS256)
  • PostgreSQL
  • Passport.js

UI

Dashboard
  • Next.js 15 + React 19
  • shadcn/ui + Tailwind CSS
  • React Hook Form + Zod
  • TanStack Query

Custom SDK

@davydko-mtas/express
  • @davydko-mtas/express on npm
  • TypeScript + tsup (ESM/CJS/dts)
  • Drop-in createMtasAuth(config)
  • Handles CSRF, JWKS verify, refresh dedup, cookie crypto

Infrastructure

Deploy
  • Docker Compose (local PostgreSQL)
  • Coolify (production)

Outsource the auth. Keep the product.

Register a client account, configure redirect URIs, and your users are signing in against an isolated tenant in under an hour.

Register your appSign in