C++23 Enterprise Auth Engine

Build Secure
Uncompromised Auth Infrastructure

AuthNexus is a multi-tenant authentication & operations backend for SaaS. Mutual TLS, four-channel architecture, fail-closed security model — built for high-security scenarios.

Read Docs Get Started

<0.5ms

Token Validation

In-memory HMAC-SHA256

<3ms

Full Login Flow

Incl. DB + Token Issue

TLS 1.3

Transport Security

mTLS + OCSP Stapling

Core Capabilities

Designed for security and performance at every layer, from protocol to deployment

Mutual TLS

Both client and server verify certificates, eliminating MITM attacks. CA chain + URI SAN semantics + cert binding triple validation.

Four-Channel Separation

Command, Event SSE, DB Delta, OCSP — four independent channels with isolated responsibilities and fault domains.

Four Independent CAs

CP server, node client, TCP server, app client — four CAs managed independently, minimizing blast radius.

Lua Cloud Functions

Sandboxed Lua 5.4 runtime with IO/OS/debug disabled. Dedicated thread pool with backpressure, isolated from the critical path.

Thread Domain Isolation

IO / Logic / DB / Crypto / CloudFunction — five thread domains physically isolated, independently scalable.

Fail-Closed Design

No ports opened without PKI init, connections refused on CA failure, handshakes rejected on OCSP revocation — secure by default.

OCSP Stapling

Nodes proactively fetch OCSP responses and staple them to TLS handshakes. SDK must-staple verification for real-time revocation.

Dual Database Backend

SQLite for lightweight deployments / PostgreSQL for scale. Unified abstraction layer, seamless switching. Separate Control & Runtime DBs.

System Architecture

Three-process separation + four-channel communication, with single-responsibility components and isolated fault domains

Channel ① Command (mTLS HTTP) Channel ② Event SSE Channel ③ DB Delta Channel ④ OCSP (Plain HTTP) Hot Path (TCP mTLS)

Performance

Measured on real hardware, not theoretical values

Metric	Value	Details
Token Login	<3ms	Incl. DB query + HMAC-SHA256 + token issue
Heartbeat	<0.3ms	Session update + state sync
TLS Handshake	<15ms	mTLS mutual auth + OCSP stapling verification
Cloud Function	<5ms	Lua 5.4 sandbox, incl. serialization overhead
Password Hash	<0.1ms	HMAC-SHA256 high-speed versioned scheme

Security, Uncompromised

Every design decision prioritizes security over convenience

Fail-Closed by Default

PKI not initialized? Ports stay closed. CA validation failed? Connection refused. Certificate revoked? Handshake rejected. The default state is closed — services only open with correct, explicit configuration.

Zero-Trust Certificate System

Four independent CAs, each governing its own domain. mTLS handshake validates CA trust chain + clientAuth EKU + URI SAN semantics + CP binding — all four constraints must pass.

Real-Time Revocation

Nodes proactively fetch OCSP responses, stapled to every TLS handshake. SDK enforces must-staple. Revocation → all new connections immediately rejected, no cache window risk.

Physical Fault Isolation

Five thread domains share nothing. SSE long connections get a dedicated pool, never starving short CP requests. Cloud functions have backpressure, never impacting the auth hot path.

Technical Specs

Language

C++23 (MSVC / GCC)

Protocol

Custom binary protocol over TLS 1.3

TLS

TLS 1.3 + mTLS + OCSP Stapling

Ports

Admin HTTP 8080 · CP mTLS 9091 · OCSP 9092 · TCP configurable

Database

SQLite (lightweight) / PostgreSQL (at scale)

Cloud Functions

Lua 5.4 sandboxed, 1000ms default timeout

Threading

IO / Logic / DB / Crypto / CloudFn five-domain isolation

SDK

C++ static library, sync API + internal reader/notify/heartbeat threads

Start Building Secure Auth Infrastructure

Read the docs to see how AuthNexus delivers enterprise-grade authentication for your multi-tenant SaaS.

Read the Docs View Source

Build SecureUncompromised Auth Infrastructure