Authio docs

Authio Lobby

Sign-in methods

Lobby ships four sign-in surfaces. Pick the ones your users actually attempt.

Part of Authio Lobby

Lobby supports four sign-in methods out of the box. The hosted UI shows the ones you enable on the project; you can also call each method directly from the SDK.

Passkeys

WebAuthn / FIDO2 platform authenticators (Touch ID, Face ID, Windows Hello, Android biometrics) and roaming authenticators (YubiKey, Solo). Cross-device passkeys via iCloud Keychain and Google Password Manager work out of the box. RPID-per-origin is configured per project so each WebAuthn ceremony pins to the requesting origin.

Deep dive: Passkeys (in Concepts), WebAuthn RPID for custom domains.

Magic Auth

Single-use, IP+UA-bound magic link. 10-minute TTL by default. Sent over your existing email transport (SES today; per-tenant provider overrides ship with the parallel P1-B Custom email providers worker). Useful as the cold-start credential on a new device when no passkey is yet enrolled.

Deep dive: Magic links (in Concepts).

Social

Google, Microsoft, Apple, GitHub, Slack, LinkedIn, Discord, and the long tail. Configured per-project at /settings/security in the dashboard. The OAuth callback sets a session cookie identical in shape to passkey and magic-link sessions.

SSO (OIDC + SAML 2.0 + SCIM)

Enterprise federation. Each organization gets one SSO connection (id sso_…) that’s either OIDC or SAML. There are three ways to connect a customer’s IdP, in order of preference:

  • One-click Microsoft — the admin clicks Connect Microsoft, grants admin consent, and Authio auto-provisions an active OIDC connection against their Entra tenant. No App registration, no paste.
  • OIDC — any OpenID Connect IdP: issuer + client id + client secret.
  • SAML — the manual wizard shows the SP Entity ID / ACS URL inline with copy buttons.

Your customer’s IT team can also self-serve from a one-time SSO Setup Portal link or the embedded SSO Connection widget. To skip the method picker and send a user straight to their IdP, point your “Sign in with SSO” button at the SP-initiated login URL — the WorkOS-style direct flow.

Deep dive: Connecting an identity provider, per-org authentication methods, Directory Sync widget, SAML attribute mapping.

How to pick

  • B2B SaaS, sells to enterprises: enable Passkeys, Magic Auth, and SSO. Skip Social unless your users explicitly ask for "Sign in with Google" — most enterprise IT prefers SSO.
  • Prosumer / B2C product: enable Passkeys, Magic Auth, and Social. SSO is rarely needed; you can flip it on per-org later.
  • Internal tools: enable SSO only. Mint memberships via JIT at the SSO callback.