v1.0.0 - Production Ready

Your Identity,
One Tap Away

Koder Pass

Koder Pass is a comprehensive mobile identity companion with multi-factor authentication, encrypted vault, passkeys, biometrics, and SSO for the Koder ecosystem.

View Source API Docs
api-example.sh 
# Send a push authentication request
curl -X POST https://pass.koder.dev/v1/auth/push/send \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": "usr_a1b2c3",
    "service_name": "My App",
    "ip_address": "203.0.113.42",
    "timeout_seconds": 60
  }'

# Response
{
  "id": "push_x7k9m2",
  "number_options": [42, 67, 89],
  "correct_number": 67,
  "status": "pending"
}

Everything You Need

121 features across authentication, vault management, identity verification, device trust, and more.

TOTP / HOTP Authenticator

Generate time-based and counter-based one-time passwords with SHA-1, SHA-256, and SHA-512 support. Import via QR code or manual entry.

FIDO2 Passkeys

Hardware-backed passwordless authentication using the WebAuthn standard. ES256 and RS256 algorithms with platform authenticator biometrics.

Push Authentication

Approve or deny login requests with a single tap. Number matching challenge prevents accidental approvals. Fraud reporting built in.

QR Code Web Login

Scan a QR code to instantly authorize desktop and web sessions. Real-time WebSocket updates show login progress to both devices.

Encrypted Vault

AES-256-GCM encrypted storage for passwords, notes, cards, identities, and keys. PBKDF2-SHA256 with 600,000 iterations for key derivation.

Identity Verification (eKYC)

Document capture with OCR, MRZ parsing, NFC chip reading, facial biometrics with liveness detection, and CPF/CNPJ validation.

Device Trust

Hardware-bound device registration with 0-100 trust scoring. Detects root, jailbreak, debugger, emulator, and missing screen lock.

Behavioral Analytics

Impossible travel, new device, unusual time, and velocity anomaly detection. Real-time risk scoring based on authentication patterns.

Ecosystem SSO

Sign in to any Koder app with a single tap. Scoped delegation tokens, app verification, and centralized session management.

Breach Monitoring

Check passwords against Have I Been Pwned using k-anonymity. Get alerts for breached, weak, reused, and stale passwords.

Shared Vaults

Share credentials with team members using granular permissions: view, copy, edit, or admin. Emergency access with configurable wait periods.

Webhooks & API Keys

HMAC-SHA256 signed webhook delivery with exponential retry. Scoped API keys for third-party integration with live/sandbox modes.

How It Works

Get started in three steps.

1

Sign In with Koder ID

Authenticate once with your Koder ID account using OIDC. Your identity is verified and your session is established securely.

2

Set Up Your Vault

Create a master password to encrypt your vault. Add OTP accounts, credentials, passkeys, and identity documents. Everything is AES-256-GCM encrypted.

3

Authenticate Everywhere

Use push notifications, QR codes, passkeys, or TOTP to sign in to any service. Your phone becomes your universal authentication key.

Enterprise-Grade Security

Built with a defense-in-depth approach. Your data is protected at every layer.

AES-256-GCM + PBKDF2

Military-grade encryption with 600,000 iteration key derivation. Your vault is unreadable without the master password.

Hardware-Backed Keys

Cryptographic keys stored in Android Keystore and iOS Secure Enclave. Key material never leaves the hardware security module.

Anti-Tamper Detection

Detects root, jailbreak, debugger, emulator, repackage, and hooking frameworks. Configurable warn/restrict/wipe responses.

Zero-Knowledge Sync

All vault data is end-to-end encrypted before leaving your device. The server stores only opaque ciphertext blobs.

Behavioral Analytics

Machine learning detects impossible travel, unusual times, new devices, and velocity anomalies in real-time.

FIDO2 / WebAuthn

Phishing-resistant passwordless authentication bound to the relying party origin. Cloned authenticator detection via sign count.

How We Compare

Koder Pass combines the best of authenticators, password managers, and identity platforms.

Feature Koder Pass Google Auth 1Password Duo Microsoft Auth
TOTP / HOTPYesYesYesYesYes
FIDO2 PasskeysYesNoYesYesYes
Push AuthenticationYesNoNoYesYes
QR Web LoginYesNoNoYesYes
Encrypted VaultYesNoYesNoNo
Document VerificationYesNoNoNoNo
Facial Biometrics + LivenessYesNoNoNoNo
NFC Chip ReadingYesNoNoNoNo
Verifiable Credentials (W3C)YesNoNoNoNo
Mobile Driving License (mDL)YesNoNoNoNo
Device Trust ScoringYesNoNoYesPartial
Conditional Access PoliciesYesNoNoYesYes
Behavioral AnalyticsYesNoNoYesPartial
SSO BrokerYesNoNoNoYes
Travel ModeYesNoYesNoNo
Emergency AccessYesNoYesNoNo
Shared VaultsYesNoYesNoNo
Webhooks / APIYesNoYesYesPartial
Open SourceYesNoNoNoNo
Self-HostedYesNoNoNoNo

Frequently Asked Questions

Koder Pass combines the capabilities of an authenticator app (like Google Authenticator), a password manager (like 1Password), an identity verification platform (like Jumio), and an enterprise MFA provider (like Duo) into a single open-source, self-hosted solution. It includes features like document verification, NFC chip reading, W3C Verifiable Credentials, behavioral analytics, and conditional access policies that no single competitor offers.

Yes. All vault data is encrypted with AES-256-GCM before leaving your device. The encryption key is derived from your master password using PBKDF2-SHA256 with 600,000 iterations. The server only stores opaque ciphertext and cannot read your data. Sync between devices is also fully end-to-end encrypted.

Yes. The Go backend is a single binary with minimal dependencies (PostgreSQL and Redis). A Docker Compose setup is provided for easy deployment. You can run it on your own infrastructure with your own Koder ID instance for complete data sovereignty.

The Flutter app supports Android, iOS, macOS, Linux, Windows, and web. The primary target is mobile (Android and iOS) where biometric authentication and NFC chip reading are most relevant. The Go backend runs on any platform that Go supports.

When a service sends an authentication request, a push notification is delivered to your phone. You see the service name, IP address, location, and a number matching challenge. You must select the correct number (shown on the login screen) to approve the request. This prevents accidental approvals and push fatigue attacks.

Yes. Koder Pass is released under the MIT License. You can use, modify, and distribute it freely. The source code is available on Koder Flow.

Travel Mode lets you temporarily hide sensitive vaults when crossing borders. When enabled, selected vaults become invisible in the app. Only you can disable Travel Mode with your full authentication, ensuring that border agents or device inspections cannot see your hidden credentials.