// in development — early access open

Every way a user can prove who they are, behind one API

Enterprise SAML, Google and Apple sign-in, MetaMask signatures, KYC documents, brokerage OAuth, TOTP codes. Charon speaks all of them, verifies them in Rust, and hands your application one clean JWT.

View on GitHub

// any provider, any protocol, same response shape POST /auth/sso { "provider": "okta", "saml_response": "PHNhbWw..." } // → { access_token, refresh_token, user, org }

What it does

Seven jobs, one integration

Multi-provider authEmail/password, Google, Apple, GitHub, Microsoft OAuth, plus any OIDC provider you point it at.
Enterprise SSOSAML 2.0 and OIDC against Okta, Azure AD, OneLogin, or any IdP. SCIM 2.0 keeps directories provisioned and deprovisioned automatically.
Web3 walletsMetaMask and WalletConnect signature verification, multi-chain across all eight House of Contracts chains.
KYC / AMLSumsub-powered document checks, liveness detection, and AML screening with tiered verification levels.
Brokerage linkingOAuth to Coinbase, Alpaca, and Robinhood, so Versal and Delt can show one unified portfolio.
Two-factorTOTP (Google Authenticator, Authy, 1Password) and hardware keys via WebAuthn/FIDO2.
GDPR plumbingData export, right-to-be-forgotten deletion, consent management, audit log. The compliance work nobody wants to write twice.

Providers

Sixteen integrations at launch

Okta/Azure AD/OneLogin/Auth0/SAML 2.0 (any IdP)/SCIM 2.0/LDAP/Google/Apple/GitHub/Microsoft/MetaMask/WalletConnect/Coinbase/Alpaca/Sumsub

Security

The boring decisions, made correctly

Charon is written in Rust on Axum and Tokio, with PostgreSQL via compile-time-checked sqlx queries and Redis for sessions and rate limits.

PasswordsArgon2id, memory-hard and GPU-resistant, with configurable cost parameters.
TokensRS256 JWTs with automatic key rotation. One-hour access tokens, thirty-day refresh tokens, Redis-backed blacklisting.
Rate limitingPer-IP and per-user sliding windows in Redis, with exponential backoff.
Secrets at restBrokerage OAuth tokens encrypted with AES-256-GCM; keys held in Azure Key Vault.
AuditEvery auth event, profile change, and admin action logged with timestamp, IP, and device.
ComplianceGDPR and CCPA ready; SOC 2 in progress.

Who uses it

Auth for the whole CC ecosystem

Delt

Versal

Terminal sessions and brokerage account access for unified portfolios.

Akashic

API key validation and subscription state for the code-intelligence extension.

Hermes

JWT validation on authenticated streams and pay-per-stream billing.

Noosphere Collective

Member identity behind DAO governance voting.

Atlas

Team management and role-based access across multi-entity workspaces.

Charon is core infrastructure, included free with every Colossal Capital tier, forever. Create an account or see tier details.