Launching soon!

Auth for users
and agents

LumoAuth handles login for your users — OAuth, OIDC, passkeys, MFA, enterprise SSO — and identity for your AI agents — scoped capabilities, JIT permissions, human approval gates, and a full audit trail. One platform, open standards throughout.

AAuth Protocol JIT Permissions HITL Approvals Zanzibar ReBAC
Who it's for

Three auth problems. One platform.

Whether you're giving AI agents a real identity, shipping login for a new app, or migrating users off Auth0 — here's what LumoAuth looks like for each.

01 //

Building AI Agents?

API keys can't carry capability claims, enforce budgets, or pause for human approval. Agent tokens can. Each agent gets a cryptographic identity with scoped permissions, hard budget limits, and a full task timeline in the dashboard.

  • Cryptographic agent identity — no shared API keys
  • Scoped capability tokens, 15-minute expiry
  • JIT permission requests + human-in-the-loop approvals
  • MCP server discovery via well-known endpoints
  • Budget limits: steps, timeout, cost per task
Agent Security Docs →
02 //

Building an App?

Ship auth in hours, not weeks. OAuth 2.0 + OIDC out of the box, with passkeys, magic links, MFA, social login, and a login page that actually matches your brand.

  • OAuth 2.0 / OIDC — every grant type
  • Passkeys / WebAuthn / FIDO2
  • Magic links, TOTP MFA, push auth
  • Social login (GitHub, Google, etc.)
  • AI-generated branded login page
5-Minute Quickstart →
03 //

Migrating from Auth0 or Okta?

LumoAuth is OIDC-compatible. Change the issuer URL and client credentials — your existing SDK calls, token format, and callback patterns stay identical. You get SAML federation, SCIM directory sync, and GDPR tooling that Auth0 charges extra for or doesn't have.

  • Change two config lines — zero app rewrites
  • SAML 2.0 IdP + SP, SCIM 2.0 inbound/outbound
  • Relationship-based and attribute-based access control
  • GDPR: data subject requests, consent, breach management
Agent authentication

Your agents are not
your users

API keys can't carry capability claims, enforce budgets, or pause for human approval. Agent tokens can. Each agent gets a cryptographic identity, scoped permissions, and hard budget limits. When it needs access outside its pre-authorized scope, it sends a JIT request — you approve or deny from your phone, and every step lands in the audit log.

Cryptographic agent identity

Each agent has an Ed25519 keypair. Tokens are signed and bound to that key — they cannot be replayed from a different agent or context. Capabilities are embedded in the token claims.

JIT permissions + human-in-the-loop

Pre-authorize what the agent normally needs. For anything outside that scope, the agent pauses, sends a permission request with a justification string, and waits. A push notification goes to the owner. The agent resumes or exits based on the decision.

MCP server discovery

Register MCP servers as protected resources. Agents query the well-known endpoint to discover what auth is required before making any call — no credentials hardcoded in agent code.

Task timeline + CAEP monitoring

Every agent run produces a task record: steps taken, JIT requests made, tokens issued, risk events fired. Token revocation propagates to resource servers in real time via continuous access evaluation.

lumoauth — python agent sdk 
from lumoauth import LumoAuthAgent
from lumoauth.jit import JITContext

agent = LumoAuthAgent()
agent.authenticate()  # reads env: AGENT_CLIENT_ID, AGENT_CLIENT_SECRET

with JITContext(agent) as jit:
    jit.create_task(name="Analyse Q4 Financial Report")

    result = jit.request_permission(
        {
            "type":    "file_access",
            "actions": ["read"],
            "identifier": "quarterly_report_q4.pdf",
        },
        justification="User asked: 'What were our Q4 revenues?'",
    )
    # ↑ Human receives push notification. Blocks until approved or denied.

    if result["status"] == "approved":
        token = jit.get_token(result["request_id"])
        data  = jit.call(token, "GET", "https://storage.acme.com/finance/q4.pdf")
    elif result["status"] == "denied":
        return f"Access denied: {result['deny_reason']}"

# context exit: all JIT tokens revoked automatically

SECURITY GUARANTEES

  • Cryptographically signed agent tokens
  • Scoped capabilities — principle of least privilege
  • Hard budget limits enforced server-side
  • Every action written to immutable audit log
  • Human approval required for privilege escalation
  • Token revocation propagated instantly (CAEP)
Platform features

The full stack, not a subset.

Most auth platforms make you bolt on enterprise features as paid add-ons. LumoAuth ships SAML, SCIM, fine-grained authorization, GDPR tooling, and agent security in every plan.

OAuth 2.0 & OIDC

OAuth / OIDC

Authorization code + PKCE, client credentials, device flow, CIBA, token exchange, pushed authorization requests, proof-of-possession tokens, and financial-grade API profiles.

Passkeys & WebAuthn

FIDO2

FIDO2 passkey registration and login. Works with platform authenticators (Face ID, Windows Hello) and hardware security keys. No passwords required.

AI Agent Security

AAuth

Cryptographic agent identity, scoped capability tokens, JIT permission requests, human-in-the-loop approvals, hard budget limits, MCP server discovery, and per-task audit timelines.

SAML 2.0

SAML

Act as a SAML identity provider for apps that require it, or federate from an external SAML IdP. Full IdP and SP mode in the same tenant.

Fine-Grained Authorization

ReBAC + ABAC

Relationship-based access control (e.g. "Alice can edit documents shared with her team") and attribute-based rules (e.g. "contractors, business hours only"). Write policies in plain English — LumoAuth parses them.

SCIM 2.0

SCIM

Automatic user and group sync. Inbound provisioning from Okta, Azure AD, or any SCIM provider. Outbound push to downstream apps. Users deprovisioned the moment they leave.

Adaptive Authentication

Risk Engine

Step-up MFA triggered by risk signals: geo-velocity, impossible travel, device fingerprint mismatch, IP reputation, VPN/Tor detection. Configurable thresholds per tenant.

GDPR & Compliance

GDPR

Data subject request workflows, per-user consent records, breach incident management, ROPA generation, and privacy policy versioning — built into the tenant portal, not a compliance add-on.

View All Features →
quickstart — 5 minutes to auth 
# 1. Install the SDK
$ npm install @lumoauth/sdk

# 2. Create .env
LUMO_TENANT_ID=your-tenant
LUMO_CLIENT_ID=your-client-id
LUMO_CLIENT_SECRET=••••••••••••
LUMO_BASE_URL=https://auth.yourdomain.com

# 3. Protect a route (Express example)
import { LumoAuth } from '@lumoauth/sdk';

const lumo = new LumoAuth(fromEnv());

app.get('/api/me',
  lumo.requireAuth(),
  (req, res) => res.json(req.user)
);

# 4. Check a permission
const allowed = await lumo.check({
  userId:     req.user.id,
  permission: 'billing:view_invoices',
});
// ✓ true — checked against ReBAC + ABAC engine

$ lumo auth test-token
✓ Generated test JWT — valid 1h — paste into jwt.io
Developer Experience

Start in 5 minutes, not 5 days.

Typed SDKs for TypeScript and Python. A full OpenAPI spec. Test token generation from the portal. Authorization rule authoring in plain English. Standard OIDC discovery so any existing library works.

TypeScript + Python SDKs

Fully typed, auto-generated from the OpenAPI spec. IntelliSense everywhere.

Test Token Generator

Generate signed JWTs from the portal for any user or scope — debug without fighting OAuth flows.

AI Policy Authoring

Describe your authorization rule in plain English. LumoAuth parses it into a working ABAC policy.

Permission Tester

Test any permission check against any user or resource directly in the portal. No guessing.

OIDC Discovery

Each tenant serves a standard /.well-known/openid-configuration endpoint. Point any OIDC library at your tenant URL — no custom SDK integration required.

Branded login pages

Enter your site URL. LumoAuth scrapes your brand colors and generates a matching hosted login page. Or bring your own HTML.

View Docs → GitHub SDKs