Passkey and Passwordless Authentication Libraries

Anoma is a distributed operating system designed to abstract the complexities of blockchain networks into a unified interface for cross-chain coordination. At its core, the platform utilizes a resource-based state machine and an intent-centric execution model, where user-defined goals are processed and settled by decentralized solvers rather than through direct, manual execution. This architecture enables the creation of applications that operate across heterogeneous distributed networks while maintaining a consistent developer and user experience. The platform distinguishes itself through a privacy-preserving framework that leverages zero-knowledge proofs to hide transaction details, sender identities, and asset amounts on public ledgers. Security is managed through hardware-backed passkeys, which derive hierarchical cryptographic keyrings in session memory to eliminate the need for persistent local storage. Furthermore, Anoma employs protocol adapters—smart contracts deployed to external chains—to act as secure gateways for cross-chain asset interoperability and shielded transaction management. The system includes a comprehensive toolkit for building decentralized applications, featuring high-performance cryptographic operations executed via WebAssembly modules. Developers can access diagnostic utilities like the Anoma Explorer to monitor protocol activity, indexed transactions, and resource logic. The infrastructure also supports private resource retrieval through discovery-key-based indexing, ensuring that encrypted data is routed securely to the appropriate user keyring. Documentation and developer resources include practical tutorials for building applications, such as guides for implementing passkey-based identity management and shielded token deposit workflows.

Hermes-webui is a self-hosted AI orchestrator and web interface for managing autonomous agents. It serves as a multi-provider gateway that connects cloud and local large language models, providing a central hub to execute scheduled background jobs, run shell commands, and manage agent memory on private hardware. The system distinguishes itself through a persistent memory manager that utilizes knowledge graphs and markdown files for long-term context across sessions. It features a model context protocol host for extending agent capabilities with standardized tools and supports the orchestration of specialized sub-agents to handle parallel workloads. The platform covers a broad range of operational capabilities, including autonomous task scheduling via a built-in cron system, cross-platform messaging synchronization with external apps, and sandboxed execution across Docker and SSH environments. It also provides tool integration for automated web searches, workspace file navigation, and a secure shell execution workflow with user-approval gating. The interface supports real-time response streaming, voice interaction, and a cross-platform desktop application for managing sessions and configurations.

This project is a modular authentication framework designed to manage user identity, session tracking, and access control across web applications. It provides a unified solution for handling email-based credentials and social identity federation, allowing developers to implement secure login and registration flows that maintain consistent user states across client and server environments. The system utilizes a plugin-based architecture and middleware-driven request interception to allow for the extension of core authentication logic. It features type-safe schema generation, which derives database structures and API contracts directly from configuration, and employs a database-agnostic adapter pattern to interface with various storage backends. These capabilities enable the creation of custom security logic and database schemas that adapt to specific application requirements. To support development, the framework includes integrated tooling that provides context-aware knowledge to coding assistants. By configuring agent skills and connecting documentation through standardized protocols, developers can automate the implementation of authentication patterns while ensuring adherence to established conventions and security standards.

Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration, providing identity-based routing, payload sanitization, and guardrails for LLM providers and AI agent architectures. The platform covers a broad capability surface including attribute-based access control via a policy-as-code engine, layer-7 traffic management using Lua scripting for request manipulation, and secure remote tunneling through WireGuard and QUIC. It also includes integrated observability using OpenTelemetry to stream identity-aware access logs and telemetry. The infrastructure is managed through a command-line interface that supports declarative, GitOps-style configuration and automated deployment to Kubernetes environments.

This project is a cross-platform credential management suite designed to store sensitive information in encrypted local databases. It functions as a secure desktop application that provides a unified environment for organizing secrets, generating passwords, and managing multi-factor authentication tokens. By utilizing industry-standard file formats, the application ensures that stored credentials remain secure and interoperable across different operating systems. The software distinguishes itself through deep integration with hardware-backed security and system-level services. It supports physical security tokens for challenge-response authentication, requiring hardware-based verification to unlock databases. Additionally, the application features an automated bridge for browser extensions to facilitate form filling and credential retrieval, alongside a system agent integration that dynamically manages SSH keys based on the current lock state of the database. Beyond core credential storage, the project includes a modular engine for performing administrative tasks such as security audits and data migrations. It also supports secondary protection layers, allowing users to require specific key files alongside master passwords to authorize access. The development process relies on containerized build environments to ensure consistent and reproducible native binaries for Windows, macOS, and Linux.

This project is a comprehensive zero-knowledge security suite designed for enterprise credential management, secrets orchestration, and password management. It provides a secure, end-to-end encrypted vault that allows users to store, synchronize, and manage sensitive information, including passwords, passkeys, and infrastructure secrets, across desktop, mobile, and browser environments. The platform distinguishes itself through a strict zero-knowledge architecture where all encryption and decryption occur locally on the client, ensuring that plaintext data remains inaccessible to the server. It supports flexible deployment models, allowing organizations to choose between managed cloud services or self-hosted infrastructure to meet specific data sovereignty and compliance requirements. Furthermore, the system integrates with external identity providers to streamline user provisioning and authentication, while offering advanced administrative controls for policy enforcement and security auditing. Beyond core storage, the platform provides extensive tools for DevOps and automated workflows, including command-line interfaces for secret injection and programmatic SDKs for custom integrations. It also includes robust collaboration features for secure data sharing, team resource management, and credential health monitoring to help organizations maintain a strong security posture.

This project is a comprehensive cryptographic toolkit that provides a collection of standard security algorithms and protocols for implementing data encryption and network communication. It serves as a foundational library for securing software applications through a wide range of cryptographic functions. The architecture is defined by a modular provider system that allows for the dynamic loading of external cryptographic implementations without requiring modifications to the core application binary. It supports metadata-driven algorithm querying, which resolves security primitives by matching requested properties against available provider capabilities. Furthermore, the library enables the creation of isolated security contexts, allowing different application components to maintain independent configuration states and security parameters within the same process. The toolkit includes support for FIPS-validated module encapsulation, which restricts cryptographic operations to a hardened boundary to meet strict government and industry compliance standards. It also utilizes a dispatch-table abstraction to decouple high-level security requests from underlying algorithm logic. Comprehensive technical documentation is available to assist with security operations, migration, and compliance validation.

This repository is a comprehensive collection of reference implementations and sample libraries for the Universal Windows Platform. It provides practical examples of how to use Windows Runtime APIs to build cross-device applications, including detailed guidance on XAML-based declarative user interfaces and DirectX-integrated rendering. The project distinguishes itself by providing a wide array of hardware integration suites, covering low-level communication with USB, Serial, I2C, SPI, and GPIO peripherals. It includes specialized implementations for mixed reality holographic rendering, advanced digital inking, and computer vision tasks such as real-time face tracking and barcode scanning. The codebase covers a broad surface of system capabilities, including adaptive media streaming, biometric authentication, and background task management. It also demonstrates the use of linguistic services for text analysis, globalization tools for regional formatting, and persistent storage strategies for application data. The repository serves as a practical implementation guide for the Windows SDK, providing a library of samples for building responsive interfaces and integrating system-level services.

Authelia is a centralized identity and access management server designed to secure web applications through unified authentication and authorization. It functions as an identity authority that enables single sign-on across diverse platforms, allowing users to access multiple services with a single set of credentials. By acting as a standards-compliant provider, it facilitates secure identity propagation and token issuance for client applications. The platform distinguishes itself through its ability to integrate directly with web gateways as a reverse proxy authentication middleware, intercepting requests to validate user identity before granting access to protected resources. It enforces granular access control policies and provides robust multi-factor authentication, supporting various verification methods such as hardware security keys, mobile push notifications, and time-based one-time passwords. To maintain consistency across distributed environments, it utilizes stateless session management via encrypted cookies. Authelia offers a flexible integration surface, featuring a pluggable backend that supports multiple external directory services like LDAP alongside internal database options. Its configuration is managed through a declarative, version-controlled YAML schema, which can be further automated using environment variables. The project provides comprehensive command-line tooling for policy validation and configuration management, with native support for deployment in containerized and orchestrated environments.

cmux is a GPU-accelerated terminal emulator and workspace manager designed for coordinating multiple concurrent AI coding agents. It functions as an orchestration terminal that uses scriptable workspaces and split panes to manage parallel AI agent workflows, while also serving as a headless browser automation tool and a remote development relay. The project differentiates itself through a programmatic control plane using a Unix domain socket and CLI, allowing for the automated management of terminal layouts and input delivery. It features an integrated web engine for programmatic DOM manipulation and session state capture, as well as a proxy system that executes agents on remote servers while relaying notifications and interfaces locally over SSH. Its broader capabilities include high-density session scaling via vertical tabs and grouped environments, real-time workspace metadata monitoring, and event-driven notification routing across desktop and mobile devices. The system also supports state restoration for window layouts and agent sessions, along with built-in content rendering for markdown and local file previews.

Ente is a privacy-focused platform for end-to-end encrypted storage and two-factor authentication management. It functions as a zero-knowledge identity provider, ensuring that all cryptographic operations, key derivation, and data encryption occur locally on the user's device. By maintaining this architecture, the service provider remains unable to access or decrypt any stored personal information or authentication credentials. The platform distinguishes itself through a combination of on-device intelligence and resilient data distribution. It utilizes a local machine learning engine to perform resource-intensive tasks such as semantic image searching and facial recognition directly on the user's hardware, ensuring that sensitive visual data never leaves the device. To guarantee high availability and data permanence, the system replicates encrypted information across multiple independent cloud providers and geographic regions, protecting against provider outages or regional failures. Beyond its core storage and security capabilities, the project includes sophisticated resource scheduling that monitors device telemetry to manage background processing tasks efficiently. It also provides a comprehensive authentication manager that supports secure token imports and offline operation, allowing users to maintain control over their credentials with or without cloud synchronization.

Sui is a blockchain platform featuring an object-centric state model and resource-oriented smart contracts. It utilizes parallel transaction execution to increase network throughput and supports programmable transaction blocks that bundle multiple operations into single atomic units. The platform distinguishes itself with a capability-based access control system and zero-knowledge login mechanisms, enabling users to authenticate via identity providers without seed phrases. It also implements deterministic object addressing to allow predictable state lookups and supports the creation of soulbound assets. Its capability surface covers a broad range of financial and operational primitives, including on-chain order books, margin trading, and prediction markets. The system provides comprehensive tooling for smart contract development in the Move language, alongside high-performance data indexing, gRPC-based real-time event streaming, and cross-chain interoperability via bridge message verification. Developers can interact with the network using multi-language SDKs in TypeScript, Rust, Python, and Go, or through a dedicated command-line interface for package deployment and debugging.

Signal-Android is an end-to-end encrypted messaging platform designed to ensure that only the sender and recipient can access communication content. The project provides a comprehensive framework for secure, asynchronous message initiation and key agreement, allowing users to establish private channels without requiring simultaneous online presence. It relies on a state machine architecture to manage communication epochs and authentication, ensuring consistent security transitions throughout the messaging lifecycle. The platform distinguishes itself through a hybrid cryptographic approach that combines multiple mathematical protocols to defend against potential security compromises. It implements advanced ratcheting mechanisms to provide forward secrecy and automatic recovery from breaches, while incorporating quantum-resistant layers to protect against future computing threats. Furthermore, the system supports secure multi-device synchronization, enabling users to maintain consistent identity keys and session history across multiple hardware devices. Beyond its core messaging capabilities, the project includes robust mechanisms for data integrity and transmission reliability. It utilizes erasure-coded chunking to ensure that large data packets can be reconstructed over unstable network connections and employs deterministic elliptic curve signing to verify message authenticity. The system also manages session lifecycles by rotating keys and expiring inactive connections to minimize windows of vulnerability.

This project is a web-based management interface designed for the administration, monitoring, and configuration of Nginx server instances. It functions as a centralized platform for managing reverse proxy settings, traffic routing, and server lifecycles, providing a visual dashboard to replace manual configuration file editing. The platform distinguishes itself through integrated infrastructure automation and observability tools. It supports distributed environments by synchronizing configuration states across multiple nodes and containerized services, while offering artificial intelligence assistance for syntax guidance and complex configuration reasoning. Users can manage security hardening, automated certificate renewals, and real-time performance analytics directly through the interface, which also includes a web-based terminal for remote system administration. Beyond core management, the system provides comprehensive operational support, including automated backup scheduling with support for remote object storage, log indexing and visualization, and robust access control mechanisms. Security features include support for passkey authentication, IP-based restrictions, and encrypted data storage to protect administrative access and configuration history. The application is designed for lightweight deployment, utilizing an embedded database for state persistence and offering an automated installation bypass for rapid setup across multiple environments.

This project is a command-line tool that automates the entire lifecycle of security certificates using standard domain validation protocols. It functions as a background service to manage the issuance, renewal, and installation of certificates, ensuring that encrypted web traffic remains active without requiring manual intervention. The tool distinguishes itself through extensive support for automated domain ownership verification, including the ability to issue wildcard certificates by programmatically interacting with external domain name system providers. It provides flexible validation options, such as using a temporary, ephemeral web server to handle challenges in isolated environments, which allows for certificate generation without needing an existing web server or active website. Beyond issuance, the system includes robust deployment capabilities that integrate directly with server environments. Through customizable hooks, it can automatically update server configuration files and reload services to apply new cryptographic assets immediately upon renewal. The software is built as a modular collection of POSIX-compliant scripts that leverage standard system utilities and support various cryptographic key types to meet diverse security requirements.

This project is a web-based platform designed for creating, managing, and sharing professional resumes. It functions as a structured document builder that integrates artificial intelligence to assist with content generation, editing, and analysis. Users can maintain a collection of resumes, customize their visual presentation through various templates, and export them into multiple formats for job applications. The platform distinguishes itself through its autonomous AI agent capabilities, which can perform research, suggest incremental edits, and apply data patches directly to documents. It also provides a secure, self-hostable environment that allows users to maintain full control over their data and infrastructure. The system supports advanced authentication methods, including passkeys and federated identity providers, ensuring that personal and professional information remains protected. Beyond core editing, the application includes tools for document organization, such as tagging, filtering, and legacy data migration. It features a robust document generation engine that separates content from design, allowing for precise layout control and styling. Users can share their resumes via password-protected public URLs and monitor document performance through integrated analytics. The application is designed for containerized deployment, utilizing Docker Compose to facilitate consistent installation across private infrastructure. It includes built-in health monitoring and feature flagging to manage system performance and functionality without requiring code redeployments.

Cloudreve is a self-hosted cloud storage platform designed to provide personal and organizational file management. It functions as a web-based solution that allows users to store, organize, and share digital files across multiple devices while maintaining control over their own data infrastructure. The platform distinguishes itself through a storage backend abstraction layer, which provides a unified interface to manage files across diverse local and remote cloud providers. It incorporates a robust identity and authorization layer that supports standard OAuth 2.0 flows for secure third-party integration, alongside a persistent event notification service that streams real-time file system updates to connected clients. To maintain high performance and efficient data handling, the system utilizes a bitwise configuration management architecture. This approach encodes complex permission sets and boolean flag states into compact formats, optimizing database storage and retrieval. The platform also includes specialized tools for developers, such as token-based debug authentication and standardized URI construction for consistent file access.

Lucia is an authentication library that provides session management, OAuth integration, and password-based login for web applications. It creates and validates server-side sessions using cryptographically random tokens stored in HttpOnly, Secure, SameSite=Lax cookies, with constant-time token comparison to prevent timing side-channel attacks. The library supports authentication through email and password, GitHub OAuth, Google OAuth, and passkey-based sign-in. It enforces two-factor authentication using time-based one-time passwords (TOTP) from authenticator apps, generates recovery codes for account access, and requires 2FA verification before password resets. Session lifecycle management includes idle timeouts that extend only during active user interaction, short-lived tokens for speed and revocability, and throttled database writes to reduce load during session verification. Additional capabilities include stateless token validation for self-contained tokens like JWTs, CSRF protection through Origin header checks or anti-CSRF tokens, and throttling of failed login attempts. The library adapts session handling to work with framework-specific request and response patterns.

mkcert is a command-line utility designed to simplify local development by generating and managing locally-trusted development certificates. It creates a unique, self-signed root certificate authority on the local machine, which serves as a trusted source for issuing development credentials. By automating the generation of these certificates, the tool enables secure encrypted connections that browsers and operating systems accept without security warnings. The utility distinguishes itself by automatically configuring local trust stores, programmatically injecting the generated root certificate into system and browser databases. It supports complex development workflows through environment-variable-based configuration, allowing users to manage multiple certificate authorities across different projects and specify custom storage paths. This infrastructure ensures consistent security across diverse environments, including support for mobile device trust and remote machine installation. Beyond standard HTTPS testing, the tool provides capabilities for generating secure email certificates and integrating with specific application runtimes. It handles the underlying cryptographic key material generation and cross-platform path resolution required to maintain trust across various operating systems and development environments.

Vault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads. What distinguishes Vault is its ability to generate dynamic, short-lived credentials on-demand for databases and cloud providers, which are automatically revoked upon lease expiration to minimize security exposure. The platform also functions as an encryption-as-a-service provider, allowing applications to offload data protection, tokenization, and key management tasks to a centralized interface. Its modular architecture is supported by an extensible plugin system that uses remote procedure calls to integrate new functionality without requiring modifications to the primary codebase. Beyond core secret handling, the platform offers comprehensive certificate lifecycle automation, including the generation, storage, and rotation of security certificates to maintain encrypted communication channels. It supports high-availability deployments through a distributed consensus protocol that synchronizes state across clusters and automatically forwards requests to the active leader node. The system also integrates with hardware security modules for enhanced key protection and maintains detailed audit logs to support regulatory compliance requirements. Users interact with the platform through a command-line interface that supports API endpoint invocation, environment variable configuration, and shell autocompletion for operational tasks.