OAuth 2.1 · OpenID Connect · WebAuthn

Zero passwords.
Zero compromise.

BlackWall is a production-grade authorization server where passwords simply don't exist. Hardware keys, passkeys, and platform authenticators combined with fully standards-compliant OAuth 2.1 and OpenID Connect give your applications authentication infrastructure that can't be phished, breached, or guessed.

Access your portal Try Cryptbin Create an organisation
WebAuthn OAuth 2.1 OpenID Connect PKCE S256 AES-256-GCM XChaCha20-Poly1305 RFC 7009 · RFC 7662 Multi-tenant
Authentication

Built for engineers who take
security seriously

Every login through BlackWall is backed by a cryptographic assertion from a hardware device or platform authenticator. There is no password database to breach, no credential stuffing surface, no phishing vector.

Passwordless by design

Every user authenticates via WebAuthn: hardware security keys, Touch ID, Face ID, or Windows Hello. No passwords are accepted, stored, or ever transmitted.

OAuth 2.1 with mandatory PKCE

Issue authorization codes, access tokens, and refresh tokens to any OAuth-capable client. PKCE (S256 only) is enforced on every flow.

OpenID Connect

Full OIDC support: discovery document, JWKS endpoint, signed ID tokens, and UserInfo endpoint.

Multi-tenant project isolation

Organisations, projects, users, and OAuth clients are fully isolated. Every issued token carries project context.

Named privilege levels

Define up to ten named, tiered privilege levels per project without bespoke role logic in every service.

Comprehensive audit trail

Every authentication, token issue, admin action, and security event is logged with correlation IDs and exportable history.

OIDC Discovery is live at /.well-known/openid-configuration so OIDC-aware libraries can auto-configure from a single endpoint.
Cryptbin — Secure sharing

Share a secret.
Never the plaintext.

Cryptbin is an end-to-end encrypted pastebin built directly into BlackWall. Your browser generates the encryption key. It never touches the server.

AES-256-GCM Client-side only WebAuthn gated Auto-expiry
Open Cryptbin
How it works
1
Key generation in the browser

An AES-256-GCM key is generated client-side and never transmitted to the server.

2
Ciphertext-only storage

Your browser encrypts the content locally, then uploads only the ciphertext.

3
WebAuthn-gated access

Creating, viewing, updating, and deleting entries requires a live WebAuthn assertion.

4
Automatic expiry

Entries expire on a configurable schedule, per entry or via system defaults.

Use cases
Handing off API keys
Sharing incident logs
Passing credentials in onboarding
Safe inter-team token transfer
Encrypted security notes
Diagnostics without Slack leakage
Who it's for

Auth infrastructure that scales
with your ambitions

Teams & operators

Eliminate password reset tickets, replace shared credentials with hardware-verified identities, and get a full audit trail for every authentication event.

  • → Centralized user & project management
  • → Audit logs for every security event
  • → Approval workflows & role delegation
  • → Multi-organisation tenant isolation
Developers & engineers

Integrate once via standard OIDC discovery and let your framework handle the rest. Build on open protocols with no proprietary lock-in.

  • → RFC-7009 revocation & RFC-7662 introspection
  • → JWT (RS256) or opaque tokens
  • → Works with Passport, Spring, Auth.js, and more
  • → Self-hostable, open architecture

Where do you want to go?

Every entry point to BlackWall, from day-to-day user access to full administrative control.

Cryptbin

Create and share end-to-end encrypted text snippets and files. The key never leaves your browser.

Encrypt something
User portal

View your assigned projects, manage WebAuthn credentials, and handle account self-service.

Sign in
Admin panel

Manage organisations, users, projects, OAuth clients, privilege levels, and audit logs.

Admin login
Create an organisation

Provision a new tenant, onboard your first users, and configure your project structure from scratch.

Get started