Locksmith

Auth in an
afternoon.

Not a week.

A lightweight authentication API for developers building SaaS. Get a project, drop in an API key, and start signing in users without the enterprise overhead of competitors or the risk of rolling your own.

Get started freeRead the docs

Free to start. No credit card required.

auth.ts
import { LocksmithClient } from '@getlocksmith/sdk'

const auth = new LocksmithClient({
  apiKey: process.env.LOCKSMITH_API_KEY!,
})

// Sign up a user, get tokens
const { user, accessToken } = await auth.signUp({
  email: 'alice@example.com',
  password: 'correct-horse-battery',
})

// Verify locally — no network call
const payload = auth.verifyToken(accessToken, publicKey)
RS256 per projectToken rotationMagic linksWebhooksTypeScript SDK

How it works

Three steps from API key to signed-in user.

Create a project

Sign up, create a project, copy your API key. Your project gets its own RSA-2048 keypair automatically. Takes about 30 seconds.

~30 seconds

Call the endpoint

Hit POST /api/auth/signup with an email and password. Or npm install @getlocksmith/sdk and use the TypeScript client. Either way, two lines.

REST + SDK

Tokens in hand

Your user gets an RS256 access token and a rotating refresh token. Verify the JWT locally with your public key — no round-trip needed.

Verify locally

npm install @getlocksmith/sdk|curl -H "X-API-Key: lsm_live_xxxx" https://getlocksmith.dev/api/auth/signup

What's included

Everything authentication needs. Nothing it doesn't.

RS256 per project

Each project gets its own RSA-2048 keypair. Tokens are signed with your key and verifiable locally with the public key — no call back to Locksmith needed.

Refresh token rotation

Every refresh issues a new token and invalidates the old one. A replayed token triggers immediate revocation of all sessions for that user.

Magic links

Passwordless auth in one API call. Tokens hashed before storage. TTL-configurable. Custom email templates on Solo and Pro plans.

Password resets

Time-limited reset tokens, hashed at rest. A successful password update revokes all existing sessions to force re-authentication everywhere.

Webhooks

HMAC-SHA256-signed event payloads delivered to your endpoint. Events include user.created, user.login, session.revoked, and security.replay_detected.

Audit log

Every auth event logged with IP address, user agent, and structured context. Queryable in the dashboard. Available on Solo and Pro plans.

Custom claims

Set default metadata for new users — plan, role, workspace ID, anything. The fields are embedded in the JWT so your services never need a second lookup.

TypeScript SDK

npm install @getlocksmith/sdk. Typed client with adapters for Next.js middleware and tRPC context. Designed for server-side use.

Pricing

Simple pricing. No metered surprises.

Free

For side projects and early exploration.

Free
Projects1
Users / project500
Webhooks1
Refresh TTL7 days
RS256 keypairs
Magic links
Password reset
Custom email templates
Audit log
Start for free

Solo

Recommended

For indie hackers shipping their first product.

$9/mo
Projects3
Users / project5,000
Webhooks5
Refresh TTL30 days
RS256 keypairs
Magic links
Password reset
Custom email templates
Audit log (30 days)
Get started

Pro

For growing products with no artificial ceilings.

$19/mo
ProjectsUnlimited
Users / projectUnlimited
WebhooksUnlimited
Refresh TTL90 days
RS256 keypairs
Magic links
Password reset
Custom email templates
Audit log (90 days)
Get started

All plans include the full REST API, TypeScript SDK, and CORS configuration per project.

Drop in auth.
Move on to what matters.

No sales call. No 47-tab configuration panel. No waiting on a compliance review. An API key and an afternoon.

Get started freeRead the docs first