Skip to content

Session Security SDK

TOKENFORGE

Cryptographic device binding for web sessions. Stolen tokens become worthless.

TokenForge binds every session to the user's device using ECDSA P-256 keypairs generated in the Web Crypto API. Private keys never leave the browser. Every request is challenge-response signed. Session hijacking becomes a solved problem.

Read the Docs Try It Free

DEVICE BINDING

Non-extractable ECDSA P-256 keypairs. Stolen tokens are worthless without the hardware.

CHALLENGE-RESPONSE

Every request is signed. Replay attacks are mathematically impossible.

TRUST SCORING

7 weighted signals: device fingerprint, IP consistency, session age, behavior analysis.

STEP-UP AUTH

Automatic re-authentication when anomalies detected. Zero user friction when clean.

ZERO DEPENDENCIES

Built on Web Crypto API. No external libraries. Works in every modern browser.

FRAMEWORK AGNOSTIC

Adapters for Hono, Express, Next.js. Server SDK is framework-independent.

tokenforge-example.ts
// Server: verify device-bound session
import { verifySession } from '@opensyber/tokenforge'

const result = await verifySession(request, {
  trustThreshold: 0.7,
  stepUpOnAnomaly: true,
  maxSessionAge: '24h',
});

// result.trustScore: 0.92
// result.deviceBound: true
// result.verified: true

Built into OpenSyber. Available as standalone SDK.

View full documentation →