Secure, robust authentication

CosyncJWT is a simple service that goes beyond the basics to deliver the features developers need.

MongoDB recommends JWT authentication as the preferred method for authenticating users into a Realm Platform application.

Get started →

Read the docs →

Everything you need

to get started fast.

For the best possible experience, MongoDB Realm suggests using a JWT authentication provider based on JSON Web Tokens. CosyncJWT allows you to quickly implement JWT authentication with all of these additional features built right in.

User Metadata

Collect names, demographic info, phone numbers, emails, or anything else you want at registration and pass this info along to Realm with metadata unique for your application.

Two Factor Authentication

Connect with Google Authentiactor or send authentication codes via Twilio SMS when a user signs in.  Ensure a compromised password doesn’t actually permit access.

Gated Entry

Manage user growth by distributing invite codes or allowing users to invite others with codes. The whole gated entry process can be set up and managed through the Cosync Portal.

Password Filtering

Impose password requirements on application users when they onboard or change their password to require a minimum length, case, numbers, and special character counts.

u

Password Reset Flow

When a user forgets their password, you can trigger a custom email from your own custom email addresses to send to your user email account with a code to reset their password. 

CosyncJWT Pricing

Get started for free for up to 5000 users and only pay $1 per month per thousand users as you scale. For enterprise applications contact us about self-hosted JWT deployments.

What makes CosyncJWT secure?

In short: RSA public/private key encryption.

The RSA standard is sufficiently secure so as not to be cracked through a simple brute force method – it is also the basis for cryptographic signatures with blockchain and all crypto-currencies. Asymmetric RSA encryption is based on a simple concept; if a message is encrypted (or signed) with a private key, that message can only be decrypted with a single public key – in the matching key pair.

In the JWT standard, the payload is in fact not encrypted; the only encrypted piece is the signature which is produced by running an RS256 encryption hash using a private key on the header and the payload of the JWT token. The signature provides proof to the MongoDB Realm instance that the JWT token originated from the CosyncJWT system, and not some malicious third party.

JSON Web Tokens (or JWT) is the secure mechanism through which the CosyncJWT service provides identity management to a MongoDB Realm application. The CosyncJWT service stores a user’s handle and password in an encrypted database. When an application needs to validate the credentials of a user, it defers this task to CosyncJWT.

  1. The user’s handle and password are validated against the user’s credentials that are stored in the database.
  2. The CosyncJWT service can also confirm the user’s identity through Google’s two-factor authentication service, or by sending the user a code to his/her verified phone number.
  3. After verification, the CosyncJWT signs a JWT token with the application’s secret private key that is kept confidential.

Since the CosyncJWT system stores the secret private key, a MongoDB Realm application instance configured with the corresponding public key is guaranteed that only the CosyncJWT system could sign the authenticating JWT tokens on behalf of the application users. In order to produce counterfeit tokens, a malicious system would have to gain access to the private key, which is stored in an encrypted form on the CosyncJWT database.

Start free today.