Authentication without the overhead. Canopy provides a full OAuth2 and OIDC implementation out of the box: hosted login, secure token issuance, and standards-based flows. Use it as your auth provider, or integrate it alongside your existing one.
Redirect users to Canopy for authentication. Login, registration, email verification, password reset, and session management are all handled. Your application receives a signed token and never handles passwords directly.
Canopy implements OAuth2 with PKCE, the recommended flow for modern applications. No client secrets exposed in the browser. Protection against authorization code interception. Compatible with SPAs and public clients.
Access tokens are signed with asymmetric keys (RS256). Verify them locally using the public JWKS endpoint, no round-trip to Canopy needed. Standard claims, standard libraries. Designed for high-performance applications.
Register OAuth clients through the dashboard or API. Configure redirect URIs, manage client credentials, and control authentication flows. Supports multiple OAuth clients per environment.
Authentication is just the entry point. Once authenticated, identities are scoped to an account, assigned roles within each environment, and evaluated against your permission model. Authentication and authorization stay consistent, no mapping layer between systems, no duplication of user models.
Canopy doesn't force you into its authentication system. Use it for full authentication with OAuth and identity management. Integrate alongside your existing auth provider. Or use Canopy for authorization only. Adopt it at your own pace.