Email + password is the default sign-in method. It's enabled the moment you create an application — no extra configuration required to ship a working login flow.
# A user signs up via Universal Login — no API call needed from your side.# Optionally, configure the policy programmatically:curl -X PUT https://your-app.authaz.io/api/v1/applications/{appId}/auth/password \ -H "X-API-Key: $AUTHAZ_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "policy": { "minLength": 12, "requireUppercase": true, "requireNumber": true, "requireSymbol": false }, "mfaRequirement": "optional" }'
Open Dashboard → Application → Authentication → Password, or call the policy endpoint above.
Whether this config is shared across every tenant or scoped per tenant is controlled by the Isolated Auth Stack switch on Settings → General → Tenant Customization. With Shared auth (default), one password policy applies to every tenant. With auth, the Authentication tab shows a tenant picker and each tenant gets its own policy. See .
Pick a preset (good, excellent, fair) or custom. Presets are recalibrated against current best practice; custom exposes every knob below.
Minimum length
Default 12. Below 8 is rejected outright.
Maximum length
Default 128. Set high enough to allow passphrases; lower only if a downstream system truly can't handle longer values.
Require uppercase / lowercase / numbers / special characters
Per-class booleans. Composability is friendlier than mandating all four.
Check password breach
Validates against the HaveIBeenPwned k-anonymity API. Only the first 5 hex characters of the SHA-1 hash leave your infrastructure.
Password history count
How many previous passwords are remembered to prevent re-use. Default 5. 0 disables history.
Password reset token expiry
How long a reset code remains valid (minutes). Default 60.
Require old password on reset
When true, the reset flow asks for the current password too — useful when the "forgot password" entrypoint is misused as a password change. Default false.
MFA requirement
disabled, optional (user opts in), or required (cannot sign in without it). See the MFA page for the full enforcement options.
Account lockout
Failed-attempt threshold and lockout duration. Defaults: 5 attempts → locked for 15 minutes.
Session policy
Idle timeout, max session duration, concurrent-session limit. Configured in Authentication Settings.
Signup
Open, invitation-only, or domain-allowlist. Configured on the Signup page.
Any setting changed in the dashboard is reflected immediately — no redeploy.
When MFA is required or the user opts in, they register a TOTP authenticator (Google Authenticator, 1Password, Authy, etc.) on their first signed-in visit:
Authaz shows a QR code and a base-32 secret.
The user scans it and enters the rolling 6-digit code to confirm.
Authaz issues a set of emergency recovery codes — show the user once, never again.
On every subsequent login, Universal Login prompts for the TOTP code after the password step. Recovery codes work as a backup.
Reset MFA for a user (e.g. they lost their phone):
curl -X POST https://your-app.authaz.io/api/v1/users/{userId}/mfa/reset \ -H "X-API-Key: $AUTHAZ_API_KEY"
If you enable breach detection in the policy, every signup and password reset is checked against the HaveIBeenPwned k-anonymity API. Authaz only sends the first 5 hex characters of the SHA-1 hash, so the plaintext never leaves your infrastructure. Compromised passwords are rejected with:
{ "error": "password_breached", "message": "This password has appeared in a known data breach." }
# Block sign-in (does not delete data)curl -X POST https://your-app.authaz.io/api/v1/users/{userId}/suspend \ -H "X-API-Key: $AUTHAZ_API_KEY"# Allow sign-in againcurl -X POST https://your-app.authaz.io/api/v1/users/{userId}/activate \ -H "X-API-Key: $AUTHAZ_API_KEY"# Force logout from every device, immediatelycurl -X POST https://your-app.authaz.io/api/v1/users/{userId}/sessions/revoke \ -H "X-API-Key: $AUTHAZ_API_KEY"
Suspended users can no longer sign in or refresh tokens; existing sessions remain valid until their access tokens expire (default 15 min). Pair with sessions/revoke if you need an immediate logout.
