Runs In A Serverless Infrastructure Inside Your Environment And Authenticates Users By Integrating Login Capabilities In Your Application Without Writing Any Code or Using Integration Libraries

HexaEight Serverless Is Currently Available For Cloud Flare Workers
and Vercel (NextJS)

What Is HexaEight Serverless?

HexaEight Serverless is a Cloud Function that runs in a Serverless Infrastructure and displays a Login Page containing a QR Code to the User when the user visits your application.  The User uses our native mobile app  to scan the QR Code which completes the authentication process and allows the user to login to your application.

HexaEight Serverless authentication is best suited for securing any Application or Websites hosted in your own domain and supports cookie based authentication.


JAMStack Sites

Integrate Authentication in JAMStack Applications instantly without writing any code. Allow your developers to focus more on writing code specific to your application

No Code

Developers do not need to write any code to implement authentication  in your application. A single rest API call is all it takes to determine the logged in user

Integrate Any Web Application

Integrate authentication for applications written in any language by pointing your application to the login page that is available when you install our authentication template

No  Integration Libraries

Our Authentication requires no integration libraries, this allows you to plug in our authentication in any language of your choice and not depend on us to provide libraries


Our Authentication Flow ensures users complete the login process instantly and are redirected to your application regardless of the number of users trying to login to your application

Pay For What
You Use

Keep Infrastructure costs as low as $5 to deploy our authentication template in a serverless environment and spend as low as $0.144 per month for an active user logged in 24x7 

No Password

Since our Platform does not store user credentials, password breaches cannot occur in our environment. In fact we wont even store any other information about your authentication

Enhanced Security

Our authentication provides enhanced security because we complete the entire user authentication process within your infrastructure environment without redirection

Enable Authentication For JamStack Sites Or Any Web Application

JAMStack is the new architecture used by next generation applications used for building easier, secure and scalable applications.

Authentication for JAMStack applications can sometimes prove to be challenging for developers to implement especially if you want a implement a pluggable authentication that involves a complex authorization logic layer.

Similarly implementing authentication in applications that combine multiple languages can sometimes prove to be challenging for developers. The complexity of integrating authentication increases when you have to depend on an external identity provider to provide you with libraries for your favorite programming language. 

Unlike other providers who will offer you a integration library or widget for specific language that your developers  need to use to integrate authentication in your application,  HexaEight Universal Authentication Platform, requires no coding or integration libraries to implement the authentication logic, in-fact, we go one step further and provide you with an instant login page that your developers can use to point your application, so that developers can focus on spending quality time writing application code rather than spending countless hours trying to integrate authentication for your application.

We also provide you an option to customize your login page in case you wish to be more creative and want to improve the user experience.

While, we do the authentication for you, it is the responsibility of your developers to write the code specific to your authorization layer since we believe each application uses a different approach for authorization.  This provides complete control to develop complex authorization logic in your application such as allow role based access or a simple login access to your applications or even  pointing to your own database to determine the list of allowed users for your application.

By integrating our authentication, we instantly offer two benefits, capability to authenticate any email user in your application and allowing your developers to focus on writing your application specific code.

Is HexaEight Serverless Similar To OpenID Connect (OIDC)?

HexaEight Serverless can serve as a replacement for OpenID Connect that allows any Web Application to verify the identity of the user. 

While OpenID Connect solves the problem of application developers trying to authenticate users without taking on the responsibility of storing and managing passwords, HexaEight Serverless takes this one step further by allowing users to get authenticated by completely eliminating the need to store user passwords both on our end as well as in your application providing the benefit of both instant and scalable authentication.

In order to authenticate a user, every Identity Provider stores the username and passwords in their Infrastructure and deploys OpenID Connect On The Top of OAuth2 To Verify the User Identity by redirecting the application to their Identity provider user sign in page to accept the username and password for verification.

As the number of users grow, the infrastructure required to support authentication becomes complex and is suitable only for large enterprises that can afford to maintain this kind of infrastructure operations, for example Social Login providers.  

HexaEight Serverless on the other hand allows a relatively small company say a startup deploy a simple serverless infrastructure that has the capability to authenticate millions of users in their application at a fraction of the cost without having to maintain and incur large infrastructure expenditure. 

HexaEight Serverless achieves this capability by using HexaEight Secure Platform that allows seamless authentication across users and machines without the need to store user passwords using Patent-pending Encryption technology.

HexaEight Serverless Quick Authentication Flow

HexaEight Serverless is deployed in the Cloud as a Serverless Function and Displays a login page to the user


Users use our Mobile App to get authenticated in your domain and allow the browser to store a same site secure http only cookie


Server Applications that support cookies can use the http only cookie to authenticate the user and grant access


Trusted Server Applications that don't support cookies can use the JWT inside the cookie to identify the authenticated user


HexaEight Serverless Detailed Authentication Flow

What are Data Sinks?

Data Sinks are nothing but a random drop and pickup location that is used to transmit Encrypted tokens between Client App, the User Mobile and HexaEight Token Service.  One of the Salient features that these Data sinks posses is that these drop and pickup points are for one time usage.  So in the event if a malicious user picks up the token prior to the Token Server, the server will invalidate the authorization request since it could not fetch the encrypted token.

Backup Authentication

If you already have an authentication scheme deployed, you can still use our authentication as a backup and alternative means of authentication.

Simple Integration

If you have implemented Open ID Connect and OAuth2, or used a Social Provider based Authentication process you will be familiar with the user redirection process to the Identity Provider Site to complete the authentication process. 

Unlike Open ID Connect, HexaEight Serverless does not implement any redirection during authentication, instead it completes the authentication process for any email user without redirecting the user to an external site resulting in a great user authentication experience.

Any Identity Provider implementing Open ID Connect, provides a set of integration libraries for different languages so that they can abstract the complex implementation of Open ID connect for developers to integrate in applications.

HexaEight Serverless on the other hand has no integration libraries.  Instead you get a prepackaged login page upon installation, that can also be customized and used instantly to authenticate any user.  The login page has a number of customization parameters including a redirect url that can be used to redirect the user after successful authentication to your application.

Since there are no integration libraries, HexaEight Serverless is future ready for integration using any new languages that might be launched in the future.

Validate Using Cookies

Upon successful authentication, HexaEight Serverless sets a cookie in your own Domain using Same Site strict cookie policy unlike Open ID Connect authentication which uses same site NONE cookie policy. This ensures maximum protection for your application by shielding against cross-site request forgery (CSRF) attacks. All that the Developers need to do is to check for the existence of HexaEight Cookies set by HexaEight Serverless in the application code.

Alternate Validation Using JSON Web Tokens

At times, your application code might need to access user data from an internal or external service.  In such a scenario, the usual implementation is to create a service account in your internal or external service which has access to all the user data. This opens up security issues, because your application now has to deal with safeguarding a service account. In order to enhance protection for your application, HexaEight provides a JSON Web Token inside one of the cookies set by HexaEight Serverless.  This encrypted JSON Web token can be safel transferred using any protocol to the external or internal service, which can in turn call HexaEight to decode the logged in user and provide the user data back to the application thereby eliminating the need to maintain another service account at the application level. (See above Diagram depicting this flow)

Authenticate Any Email Address

Our Platform can validate any email user trying to login to your application, however the user first needs to obtain a Digital Identity Token using their email address by using our Native Mobile Application.

The user Digital Identity token is then used during the authentication process to verify the user identity before granting access to the  application. 

This process makes it easier to complete the authentication without requiring the user to visit our site to complete the login process unlike Open ID Connect which requires user redirection to an external identity provider site to complete the user authentication process.

Email Domain Filters

HexaEight Serverless has an option to add a Domain Filter that can limit the email users that are allowed to authenticate in your environment. This filter can be enabled or disabled for any instance of HexaEight Serverless by providing the list of email domains allowed to access your application.

No Credential Storage

Our Platform does not use the traditional approach of storing user credentials in a backend Database to complete the user authentication process. This feature allows us to perform stateless and instant authentication. Lastly, there is no scope for credential theft from our Platform since we do not store any user credentials.

Contactless Authentication

Our login process can be very helpful during this pandemic situation because it allows a No touch login, by displaying only a QR Code to the user and allowing the user's Mobile Application do the rest of the authentication.
This is very useful for registration or patient desks that wish to implement a contactless authentication using mobile phones.

Logging and Security

HexaEight Does not allow temporary Email IDs to be authenticated in any application. 

All JSON Web Token present inside cookies are encrypted using HexaEight Encryption.

HexaEight Serverless also keeps track of all the logged in users, the blocked users, when the users cookie was extended etc. and stores these logs in your Platform logs for auditing purposes and from a security perspective.

Attackers will never try to brute force into your application protected by HexaEight Serverless since it records the user's email address and login attempts.  

Since the user email address has been captured in the logs, it can later be used to identify the fraudulent user like shown below

Authentication Demo

Try out our first link demo that authenticates only Google Email (Gmail) users where as the second demo authenticates any email user.  You will first need to download and install our Mobile Application and create a Digital Token before you can try our Demo.


Frequently Asked Authentication Questions

HexaEight Authentication can accelerate the Application Development process and allows developers to focus on the application code rather than the authentication and the security aspects related to authentication. Our authentication process can be used like a catch all authentication for any application in your realm, by setting a cookie to identity the user and implement Single Sign on within your application code.

Assume you have a number of applications written in various languages by various teams for your end users or employees or customers.  Every application must keep a database of user credentials that are allowed access to the application, and the developer is in charge of user login, logout, and password resets. 

By incorporating our login process into your application, the developer can offload the authentication process to HexaEight Serverless hosted in your premises, allowing them to focus solely on application development and determining the logged in user by invoking a single API from your Application Code.  

End users benefit by having to create a single digital identity using any email address via our Mobile Application and use the same universal Identity to login into any of your applications. End users have an additional benefit of using the same universal identity to even access external applications if those external applications that integrate with HexaEight Authentication.

HexaEight Authentication is not directly beneficial if your application deploys Federated Authentication using OAuth2 Framework. Assume you've used OAuth2 to implement the Client authentication process to a cloud provider like Google, and now you've received an access token and a refresh token from Google to access data specific to the user from Google API servers. 

In this scenario, if you plan to replace Google Open ID Connect authentication with HexaEight Authentication and use our JSON Web token to access Google API servers, this scenario wont work. Our Cookie based JSON Web Token is not a replacement access token that can be used with external identity providers.

However, if you implement OAuth2 Server to Server Flow in your Application code and allow dual authentication by redirecting the user to Google and fetching a long term refresh token and store it in a http only secure cookie, you can then deploy HexaEight Authentication to verify the Gmail user the next time he logs in and use the stored refresh token to fetch data specific to the user directly from Google API servers and display it in your application.  The main advantage of clubbing our authentication with an existing Federated Authentication is that you do not need to  keep the client application logged in for an extended period of time or need to redirect the user to the external identity provider since the refresh token is already available in the cookie to fetch user related information.

HexaEight Authentication allows any authenticated and verified email user to access your application by default, provided they have successfully completed the QR Code verification process. HexaEight Serverless provides the option of filtering authentication based on specific domains rather than individual users.  When a user has been successfully authenticated, the application program can access a cookie or JSON Web token containing the user's information; however, it is the responsibility of the application to determine whether the user is permitted or not to access your application. 

This enables decentralized user authorization in your application by restricting our Platform's role to authentication and delegating the authorization process to your application.  This is incredibly helpful for applications that require a complex application-specific authorization logic implementation that cannot be satisfied by a simple role-based authorization.

Your application only needs to save the user's email address or a hash of the user's email address and complete the authorization process. 

Only the resources associated with a user, as well as authentication logs, are stored on our Platform.  One of the most serious threats to Identity Providers is the constant fear of their user credentials being compromised, which can have immediate consequences for the businesses and applications that rely on them.  However, HexaEight does not have this problem because we do not store user credentials and have built our Platform on a robust infrastructure that is resistant to attacks. However, anyone who is still unsure about implementing our authentication can be assured that no information can be gathered from our Platform in the event of a breach. 

By offloading the authorization process to your application, no information about your application, its users, or roles is stored on our platform, giving you complete control over where and how safely and securely you want to store this information in accordance with your business practices and security policies.

HexaEight Platform DOES NOT STORE USER PASSWORDS.  When our Platform issues a Digital token to a user, the token is protected by a password known only to the user.  We would also like to empathize that THIS DIGITAL TOKEN PASSWORD IS NOT ALSO STORED ON THE USER'S MOBILE.

As a result, the user is responsible for remembering their password and must enter it in the Mobile app prior to authentication.  The user password is encrypted in our mobile application memory as long as the Mobile App is running in the foreground or background, and it is destroyed when the mobile app is closed, at which point the user must reenter the password for that Digital Token.  This prevents passwords from being leaked if a phone is stolen.  Users ONLY need to take extra precautions to protect their email accounts because HexaEight Digital Tokens are issued by verifying their ability to access their email Inboxes. 

HexaEight JSON Web tokens issued our Platform are encrypted and can only be deciphered with an API key. However, all of the usual precautions that are taken when dealing with a JWT should be followed when using our JSON Web Tokens.  Because JSON Web Tokens are stored within an HTTP Only secure cookie, they are not accessible to JavaScript, and thus the JWT can only be exchanged on the server side with a non-cookie based application.  While our JWT is encrypted, we recommend using Transport layer security to send this token to other non-cookie server-based applications to avoid token leakage, even though the validity of each issued JSON web token is only for an hour.
Here is a sample cookie JSON Web token that is encrypted and issued by our Platform.

Simple Pricing for Everyone

HexaEight Serverless Authentication Pricing

HexaEight Serverless

How much does it cost to implement HexaEight Serverless?

After authenticating users with their Digital Tokens, HexaEight Serverless creates a first cookie that is good for one hour and costs $0.001 per authentication. 

The first hour cookie can be extended for another 30 days for an additional $0.001.  As a result, the total cost of authenticating a user and keeping them signed in for 30 days is $0.002 per user. 

Free Plan



Per Month

5 Cookie Sessions
per month
for FREE

Maximum 10
Requests Per Hour

Best for

Testing Purposes

Ultra Plan 


Per Month

10000 Cookie Sessions
per month
+ $0.002 each other

Max 100 Token
Requests per minute

Supports upto 100
Cookie Sessions per hour

Mega Plan


Per Month

$0.002 per
Cookie Session

Token Requests

Supports Unlimited
Cookie Sessions

By clicking Subscribe, you will be redirected to the World's Largest API Hub RAPID API, where you may subscribe to any of our plans. 
Any usage of the authentication endpoints to repeatedly decrypt the JSON Web Token will attract a charge of $0.001 per request.
Visit Our Documentation To learn more about the Endpoints available for use post authentication.

Ready To Integrate Our Authentication?

Subscribe to our Free Plan, Get an API Key and use Our Integration Guide To Seamlessly Integrate your Website Or Application Using HexaEight Serverless.


This QRCode

To Download Our
Mobile App From
Google Play Store


This QRCode

To Download Our
Mobile App From
Apple Play Store

Additional Questions?

If you have more questions feel free to Contact Us and we will be happy to help you.

Privacy Policy

Terms of Use

© Copyright 2024 HexaEight - All Rights Reserved
HexaEight Trademark is held by HexaEight. Various trademarks are held by their respective owners.