X-Auth is the identity platform for the AI era. Risk-based authentication for your users. Scoped, pooled identities for your AI agents. One platform. Two products. Zero shared service accounts.
import { XAuth } from '@xentranet/x-auth';
const xauth = XAuth.init({ tenantId: 'your-app' });
// Frontend — advice() runs any required OIDC step-up and returns
// a transaction-scoped access_token, bound to this exact action.
const { decision, access_token } = await xauth.advice({
action: 'transfer', amount: 2999, currency: 'USD',
});
if (decision === 'ALLOW') {
fetch('/api/transfer', {
headers: { authorization: `Bearer ${access_token}` },
});
}
// Your backend — verify() echoes back the bound transaction_ctx.
// `expect` asserts the token matches THIS action (or it throws).
const { transaction_ctx } = await xauth.verify(bearer, {
expect: { action: 'transfer', amount: body.amount },
});X-Auth solves identity twice — once for the humans using your app, and once for the AI agents acting on their behalf. Shared risk engine. Shared console. Separate plans.
Drop-in OIDC provider with a live risk score on every request. Your users glide through when trusted, get challenged when they shouldn't be.
An MCP-native identity broker. Every MCP connection is bound to a scoped, revocable identity from a pool you control — no more shared service accounts or over-scoped keys.
mcp.x-auth.com, pick a persona, OIDC does the restRisk-based OIDC for the humans using your app. Seamless access for the trusted, hard stops for the rest.
Static authentication treats every login the same. That's not security — it's friction theater.
"Why are you asking for an SMS one-time code when I just want to log in and check my debit balance from the same home computer I use every single time?"
That's your customer. Frustrated. Abandoning your app. Traditional authentication blasts every user with MFA hurdles regardless of how well you know them.
Dynamic, risk-based authentication changes that. X-Auth evaluates a live trust score on every request — device reputation, behavioral patterns, location, and network signals — continuously, not just at login. As part of a Zero Trust framework, every access attempt is verified in real-time.
Legitimate users glide through. Threats get stopped. Make accessing your system a low-friction experience for the good citizens of the internet, and a wall for everyone else.
X-Auth evaluates both the identity signals behind a request and the sensitivity of what's being accessed — then matches the friction to the actual risk.
e.g. login request for read-only access — trusted identity signals and low-sensitivity operation.
e.g. report generation for sensitive data — elevated sensitivity or mild identity signal deviation.
e.g. payment attempt — high-value operation, suspicious signals, or both.
X-Auth ingests four categories of signals continuously to build a live trust score for every session — not just at login.
Each device is fingerprinted and scored against historical fraud patterns and browser entropy. New or anomalous devices are flagged before a credential is ever entered.
AI/ML models build a behavioral baseline for each user — typing cadence, mouse dynamics, touch pressure, and navigation patterns. Deviations trigger escalation automatically.
IP reputation, geo-fencing, traffic velocity analysis, VPN detection, and Tor exit node identification guard against proxy abuse and distributed credential attacks.
Session duration, access times, resource access patterns, and privilege escalation attempts are monitored continuously throughout the session — not just at login.
One universal endpoint evaluates risk for any journey. Authentication and authenticators execute step-up when the answer is "prove you're you."
One endpoint — POST /v1/advice — protects any journey. Login, checkout, transfer, profile change, sensitive read: send a transaction_ctx and a device_ctx, get back ALLOW, STEP_UP with a required ACR, or DENY. No flow-by-flow integration.
A full OIDC provider with risk-aware step-up. When /v1/advice returns STEP_UP, the authenticator service dispatches the right challenge — passkey, push, TOTP, SMS, or magic link — and the session is upgraded with the achieved ACR.
Signal aggregation and policy engine behind every advice call. Ingests device, behavioral, network, and user signals; weighs them against tenant policy and resource sensitivity; returns a tier — low, medium, high — with a per-tier decision.
An MCP-native identity broker at mcp.x-auth.com. Real, scoped, revocable identities for every agent you deploy.
Your AI agents are running with credentials they shouldn't have — and you have no audit trail when things go wrong.
"Which agent made this API call? Under whose authority? With what scope? And how do I revoke just that one without breaking the others?"
That's your security team. Staring at a shared service account used by a dozen agent workloads. One prompt injection away from a breach. One audit query away from a compliance finding.
Today's agents check into systems using credentials borrowed from humans, API keys with superuser scope, or a shared service account that can't be scoped down without breaking something. None of that is identity — it's a backdoor with a sticker on it.
X-Auth for Agents gives every MCP connection a real identity, pre-scoped to the minimum claims it needs, drawn from a pool you manage. Revoke one without touching the others. Audit every connection. Sleep at night.
Three primitives. Define once in the X-Auth console, consume from any AI chat or agent runtime.
A persona is a pre-authorized bundle of claims — OAuth scopes, entitlements, attributes. Defined once by your security team, reused across every agent that takes on that role.
persona: "crm-reader" scopes: - crm.contacts.read - crm.accounts.read ttl: 15m
An identity pool holds concrete agent identities eligible to assume one or more personas. Size the pool to your workload. Assign, rotate, revoke — per-identity, without collateral damage.
pool: "support-desk-agents" size: 25 personas: - crm-reader - tickets-writer
The AI chat owner installs mcp.x-auth.com as a tool and picks the persona they need. A standard OIDC handshake runs — X-Auth binds an identity from the pool and grants exactly the scopes the persona authorizes. The connection embodies that identity for its lifetime.
install: mcp.x-auth.com persona: crm-reader handshake: oidc scopes: - crm.contacts.read - crm.accounts.read # → identity bound, tokens issued
The broker handles the identity lifecycle so your agent runtime doesn't have to. MCP-native from day one.
Codify the OAuth scopes and claim bundles your agents are allowed to assume. Version them, review them, sign them. Your security team owns what "agent authority" means — the agents don't negotiate it at runtime.
Real, concrete identities — not stamped-out JWTs. Assign pool size to workload volume, set per-identity TTLs, rotate or retire individuals without taking down the fleet. Scope each pool to one or more personas.
Install mcp.x-auth.com as a tool in Claude, ChatGPT, Cursor, or any MCP-aware runtime. Pick a persona at install — the OIDC handshake binds an identity from the pool. If your runtime supports DCR (Dynamic Client Registration) or CIMD (Client Identifier Metadata Document), install is truly zero-config — no manual client provisioning, no copy-pasted secrets.
Every MCP connection is logged with the requesting runtime, the selected persona, the pool, and the bound identity. Revoke a live connection mid-session. Trace any downstream API call back to the exact agent, persona, and time window.
From fintech startups to enterprise infrastructure — X-Auth is the foundation of digital trust.
instances of unauthorized access reported by X-Auth clients
No credit card required on either product's Developer tier. Pick the surface you're starting with — or use both.
Risk-based OIDC for the users of your app. All tiers include the full risk engine.
Provision real identities for your AI agents. Tiers scale on concurrent agent identities, distinct personas, and MCP installs.
Free-tier signups, sales questions, security reviews — we reply the same business day.
Pricing, onboarding, proofs-of-concept — or just a quick question before you sign up.
Found a vulnerability? Disclose privately to security@x-auth.com. PGP key on request.
Dedicated-cluster deployments (SOC 2, ISO 27001, HIPAA, PCI DSS), SSO/SCIM, and 24/7 security response. Start an enterprise conversation →