Skip to content
DarkAuth Docs

Security Overview

DarkAuth’s security model is built around reducing server-side custody while remaining compatible with normal OAuth and OIDC application patterns.

The important idea is not “the browser is magically safe.” It is more precise: during honest hosted-web operation, the backend and database do not need to see the user’s password, OPAQUE export key, plaintext DRK, or plaintext application data. Browser code still needs access to secrets while using them.

Main controls

Section titled “Main controls”
  • OPAQUE password authentication.
  • KEK-protected private keys, client secrets, and OTP secrets.
  • Short-lived, single-use authorization codes.
  • PKCE for public clients.
  • Refresh token rotation and replay rejection.
  • HttpOnly first-party cookies.
  • CSRF and origin checks.
  • TOTP MFA with backup codes, lockouts, and replay prevention.
  • Hashed reset and verification tokens.
  • Audit logging with redaction.
Section titled “Read next”

Start with Security Model for trust boundaries, then read OPAQUE Security and DRK Security for the parts that make DarkAuth different from a conventional auth server.