Rolling your own auth is where a lot of small apps quietly go wrong — a missing CSRF check here, a plaintext password there. So onvibe now does it for you, at the edge, before a single request reaches your code.
Choose a policy, done
Every app has an access policy: public (no login), signup (open registration) or allowlist (only approved emails). Flip it and the platform starts gating access for you — serving the login and sign-up pages, sessions, password reset and CSRF protection, all from the edge.
Because the check happens at the edge, unauthenticated traffic never even wakes your app's machine — bots bouncing off your login page cost you nothing.
The identity, delivered safely
Inside your app, currentUser() returns the signed-in end-user. The identity is injected and signed with your app's secret, so a neighbouring app on the internal network can't forge it. You just read who's calling and get on with your feature.
Manage everyone from one place
Create, import, update and remove users from the dashboard or over MCP, with bcrypt hashing and login rate-limiting built in. There's even a shared-password mode when you simply want to put a whole app behind one password for a while.
The result: real accounts — the kind your users expect — without a single line of auth code in your app.