Secure & Robust Authentication

CoSync Auth is a simple service that goes beyond the basics to deliver the features developers need.

MongoDB recommends JWT authentication as the preferred method for authenticating users into a MongoDB App Service.

Book a Call →

Everything you need

to get started fast.

For the best possible experience, MongoDB App Services suggests using a JWT authentication provider based on JSON Web Tokens. CoSync Auth allows you to quickly implement JWT authentication with all of these additional features built right in.

User Metadata

Collect names, demographic info, phone numbers, emails, or anything else you want at registration and pass this info along to App Services with metadata unique for your application.

Multi Factor Authentication

Connect with Google Authenticator or send authentication codes via Twilio SMS when a user signs in.  Ensure a compromised password doesn’t actually permit access.

Gated Entry

Manage user growth by distributing invite codes or allowing users to invite others with codes. The whole gated entry process can be set up and managed through the CoSync Portal.

Password Filtering

Impose password requirements on application users when they onboard or change their password to require a minimum length, case, numbers, and special character counts.


Password Reset Flow

When a user forgets their password, you can trigger a custom email from your own custom email addresses to send to your user email account with a code to reset their password. 

CoSync Auth Pricing

Get started for free for up to 5000 users and only pay $1 per month per thousand users as you scale. For enterprise applications contact us about self-hosted JWT deployments.

What makes CoSync Auth secure?

In short: RSA public/private key encryption.

The RSA standard is sufficiently secure so as not to be cracked through a simple brute force method – it is also the basis for cryptographic signatures with blockchain and all crypto-currencies. Asymmetric RSA encryption is based on a simple concept; if a message is encrypted (or signed) with a private key, that message can only be decrypted with a single public key – in the matching key pair.

In the JWT standard, the payload is in fact not encrypted; the only encrypted piece is the signature which is produced by running an RS256 encryption hash using a private key on the header and the payload of the JWT token. The signature provides proof to the MongoDB App Service instance that the JWT token originated from the CoSync Auth system, and not some malicious third party.

JSON Web Tokens (or JWT) is the secure mechanism through which the CoSync Auth service provides identity management to a MongoDB App Services application. The CoSync Auth service stores a user’s handle and password in an encrypted database. When an application needs to validate the credentials of a user, it defers this task to CoSync Auth.

  1. The user’s handle and password are validated against the user’s credentials that are stored in the database.
  2. The CoSync Auth service can also confirm the user’s identity through Google’s two-factor authentication service, or by sending the user a code to his/her verified phone number.
  3. After verification, the CoSync Auth signs a JWT token with the application’s secret private key that is kept confidential.

Since the CoSync Auth system stores the secret private key, a MongoDB App Services application instance configured with the corresponding public key is guaranteed that only the CoSync Auth system could sign the authenticating JWT tokens on behalf of the application users. In order to produce counterfeit tokens, a malicious system would have to gain access to the private key, which is stored in an encrypted form on the CoSync Auth database.

Start free today.