BlackWall is a production-grade authorization server where passwords simply don't exist. Hardware keys, passkeys, and platform authenticators — combined with fully standards-compliant OAuth 2.1 and OpenID Connect — give your applications authentication infrastructure that can't be phished, breached, or guessed.
Every login through BlackWall is backed by a cryptographic assertion from a hardware device or platform authenticator. There is no password database to breach, no credential stuffing surface, no phishing vector.
Every user authenticates via WebAuthn — hardware security keys, Touch ID, Face ID, or Windows Hello. No passwords are accepted, stored, or ever transmitted. The attack surface simply doesn't exist.
Issue authorization codes, access tokens, and refresh tokens to any OAuth-capable client. PKCE (S256 only) is enforced on every flow — no exceptions, no legacy bypass.
Full OIDC support: discovery document, JWKS endpoint, signed ID tokens, and UserInfo endpoint. Drop BlackWall behind any OIDC-aware application without touching a line of auth code.
Organisations, projects, users, and OAuth clients are fully isolated. Every issued token carries project context. Run your entire product portfolio from a single BlackWall instance.
Define up to ten named, tiered privilege levels per project — "viewer", "editor", "manager", whatever your domain demands. Fine-grained access without bespoke role logic in every service.
Every authentication, token issue, admin action, and security event is logged with correlation IDs. Searchable, exportable, and retention-controlled — compliance-ready out of the box.
/.well-known/openid-configuration —
any OIDC-aware library or framework (Passport, Spring Security, Keycloak adapter, Auth.js)
will auto-configure from that single endpoint. No manual token endpoint wrangling required.
Cryptbin is an end-to-end encrypted pastebin built directly into BlackWall. Your browser generates the encryption key — it never touches the server. Even with full server access, an attacker sees only ciphertext.
An AES-256-GCM data encryption key is generated client-side and never transmitted to the server. It lives only in the URL fragment, which browsers don't include in requests.
Your browser encrypts the content locally, then uploads only the ciphertext. The server receives encrypted bytes and a wrapped key — never your actual data.
Creating, viewing, updating, and deleting entries requires a live WebAuthn assertion. Every operation is cryptographically bound — replay attacks are impossible.
Entries expire on a configurable schedule. Set a retention window per-entry or rely on system defaults — no digital residue left behind.
Eliminate password reset tickets. Replace shared credentials with hardware-verified identities. Onboard contractors with time-limited access, enforce privilege tiers, and get a full audit trail for every authentication event — all from a single admin panel.
Integrate once via standard OIDC discovery and every framework takes care of itself. Token introspection, revocation, JWKS rotation, and flexible JWT or opaque token formats. Build on open protocols — no proprietary lock-in, no SDK dependency.
Every entry point to BlackWall — from day-to-day user access to full administrative control.