TrustOTP
Secure & Verified
Get Started →
Drop-in auth for any web app

Secure sign-in
without passwords

Add Google popup, Email OTP and Magic Links to any web app in minutes. Hosted, OIDC-compatible, RS256-signed — zero backend secrets required.

Start for free How it works
No credit card
HTTPS + HSTS
OIDC-compatible
RS256 JWTs
Live Auth Flow
Firebase SDK
signInWithGoogle() triggered
Google OAuth
Identity: user@gmail.com verified ✓
Token Issued
RS256 JWT · sub: usr_01JXTZ…
S
Santosh signed in
via Google · just now
✓ Verified
Zero secrets 🔒
Authentication methods

Every way users want to sign in

Choose one or combine them all — each method is independently configurable per app.

Most popular

Google Sign-in

One-tap popup via Firebase SDK. No page reload, no redirect round-trip, no credentials ever touch your backend.

Email OTP

6-digit codes sent via AWS SES. 10-minute expiry, automatic rate-limiting, and resend with one click.

Magic Link

Single-use sign-in links emailed to users. Click once, authenticated instantly. 15-minute expiry, no password required.

OIDC Compatible

Standard access + refresh tokens with RS256 signing. Drop into any OIDC-aware framework with zero changes.

Multi-tenant Apps

Each app gets its own clientId, redirect URI allowlist, and isolated user namespace — no cross-app leakage.

Auto JWKS

Public key endpoint at /api/jwks. Verify tokens in Node, Python, Go, PHP or Ruby — no shared secrets needed.

Enterprise-grade security

Zero secrets.
Maximum trust.

Firebase ID tokens are verified using Google's public JWKS — no service account JSON, no private credentials stored anywhere. RS256 asymmetric signing means any client can verify, but nobody can forge.

  • Google JWKS verification — no service account needed
  • RS256 asymmetric signing — public key verification
  • HTTPS-only + HSTS headers enforced by Caddy
  • Rate-limited OTP delivery with automatic expiry
  • Audit log written for every authentication event
Authentication Pipeline
User Click
handleGoogleLogin() invoked
Firebase SDK
signInWithPopup(GoogleAuthProvider)
Google OAuth
ID token returned · exp: 3600s
JWKS Verify
securetoken@system.gserviceaccount.com
Session Issued
RS256 access_token + refresh_token signed
Integration guide

Live in 5 minutes.
No PhD required.

Three steps. No SDK to install on your end. Any frontend framework works.

1

Create an App in Admin

Sign into the admin panel, click Create App, set your allowed redirect URIs and choose which auth methods to enable.

2

Redirect users to login

Point your users to the TrustOTP login URL with your client_id and redirect_uri. Google, OTP and Magic Link are all on the same page.

3

Receive signed tokens

On callback, receive an RS256-signed access token in query params. Verify it with our JWKS endpoint — done. No SDK, any language.

integration.ts
// 1. Redirect user to TrustOTP login page
const url = new URL(
  "https://trustotp.rocketinternet.in/login"
);
url.searchParams.set("client_id",    YOUR_CLIENT_ID);
url.searchParams.set("redirect_uri", CALLBACK_URL);
url.searchParams.set("state",        randomState());
window.location.href = url.href;

// 2. On callback — tokens arrive as query params
const { access_token, sub } = req.query;

// 3. Verify with our public JWKS (any language)
import { createRemoteJWKSet, jwtVerify } from "jose";

const JWKS = createRemoteJWKSet(new URL(
  "https://trustotp.rocketinternet.in/api/jwks"
));

const { payload } = await jwtVerify(
  access_token, JWKS
);
// payload.sub  → your user ID ✓
// payload.email → verified email ✓
🔵

Google Popup

  • 1-tap sign-in
  • Firebase SDK
  • No redirect
  • Zero secrets
✉️

Email OTP

  • 6-digit code
  • AWS SES delivery
  • 10-min expiry
  • Rate-limited

Magic Link

  • Click-to-login
  • Single-use token
  • 15-min expiry
  • Passwordless

Ship auth today.

The admin panel is live. Create your first app, grab the client ID, and your users can sign in with Google in under 5 minutes.

Open Admin Panel

Self-hosted on Oracle Cloud · HTTPS secured · Free forever