OrbitID
The first fully passwordless SSO. Passkey-first.
At a glance
- Status
- Alpha
- Stack
- TypeScript · OIDC/OAuth2 · WebAuthn · Postgres/SQLite
- Runtimes
- Edge · serverless · container
- Source
- Private (invite-only)
Summary
OrbitID is a secure-by-default OIDC / OAuth2 identity provider built on web-standard APIs (Fetch, WebCrypto, Streams), so the same core runs across edge, serverless, and container runtimes. It is passkey-first and passwordless, with invite-only registration.
Highlights
- Authorization Code Flow only, with mandatory PKCE (S256); Implicit and ROPC are refused.
- Passkey (WebAuthn)-first and passwordless. Registration is invite-only — there is no public self-signup.
- Database-agnostic: runs on Postgres or SQLite (libSQL / Turso).
- Refresh-token rotation with reuse detection; opaque access tokens by default, claims fetched from UserInfo.
Reach
Questions, integrations, security reports, or research collaboration: write to contact@luminx.one or see /security for sensitive disclosure.