About
EmbedAuth is an embeddable authentication platform for SaaS and B2B apps. It exists because the auth tools we kept reaching for were either rented-out login pages on someone else's domain, or self-hosted libraries that quietly offloaded all the security decisions onto us.
After years of building production systems in blockchain and full-stack SaaS — environments where a botched auth flow doesn't just lose a session, it loses funds — I kept hitting the same wall: every auth provider assumed your product was a single domain with a single login page.
But modern SaaS isn't shaped like that anymore. You ship into your customers' dashboards. You embed inside Notion blocks. You run inside Shopify stores, Chrome extensions, Electron apps, and white-labeled portals. None of those flows survive a redirect to auth0.com oraccounts.google.comvery gracefully — and they certainly don't survive it with your brand intact.
EmbedAuth was built around a different default: the auth UI lives inside an iframe you embed. The tokens are short-lived RS256 JWTs. The verification keys are public. The session never leaves your customer's experience. Everything else — multi-tenancy, OAuth providers, magic links, password resets, themability — flows from that.
We're engineers first. The features that ship are the ones we'd actually want to integrate against at 2am while debugging a callback URL on a staging environment that doesn't exist yet.
Four principles we don't compromise on. Everything else is a judgment call.
RS256-signed JWTs, hashed client secrets, rate-limited endpoints, audit logging — these aren't paid add-ons. They're the baseline.
Auth lives inside an iframe you control. Customers never get bounced to a third-party domain. No more "Login with Auth0" branding on your own product.
Every flow — sign-up, sign-in, password reset, OAuth — is tenant-aware. Your customers can have their own users, their own branding, their own OAuth providers.
One iframe, one client ID, one JWKS endpoint to verify tokens. No SDK rabbit holes, no twenty-step quickstarts.
Founder
Senior Blockchain & Full-Stack Software Engineer
I've spent years building systems where authentication and key handling were the hardest, most consequential code in the stack. That experience is why EmbedAuth treats security primitives — JWT signing, session rotation, OAuth callback hardening, iframe sandboxing — as the default, not the upsell tier.
I write here about the parts of auth most providers gloss over. If you have a topic you'd like covered in depth, my inbox and GitHub issues are open.
Reach out about integration, sales, or security disclosure.