BlackWall is a production-grade authorisation server designed to handle identity and access properly in modern applications. At its core, it combines OAuth 2.1 and OpenID Connect with WebAuthn-only sign-in, so users authenticate with security keys or platform authenticators instead of passwords. The result is a system built around phishing-resistant login, strong tenant isolation, and auditable control over who can access what.
BlackWall is not just a token issuer. It is a complete identity and authorisation layer for teams running multiple projects and multiple client applications. It provides dedicated OAuth login and consent flows, user and project management, privilege assignment, token issuance and validation support, and detailed audit trails. It also includes a secure encrypted sharing feature called Cryptbin for no-account secret and file exchange.
Users do not log in with usernames and passwords. They complete a WebAuthn challenge using a hardware security key or a platform authenticator. This challenge-response process proves possession of a registered credential without exposing reusable secrets to phishing pages or credential stuffing attacks.
Client applications redirect users into BlackWall's dedicated OAuth login and consent path. After successful authentication, users can approve or deny requested scopes. If approved, the client receives an authorisation code and exchanges it for access tokens (and ID tokens when OIDC scopes are used). PKCE is enforced, so intercepted codes cannot be redeemed without the original verifier.
BlackWall can issue JWT or opaque tokens. Either way, token assertions include project and privilege context so downstream services can make clear authorisation decisions. This avoids brittle role mapping in every app and keeps access control tied to a central source of truth.
JWT clients can validate signatures against published keys. Opaque-token clients can use introspection to verify active status and retrieve claims. Token revocation is supported to invalidate credentials early when required by incident response, user offboarding, or policy changes.
BlackWall is built for multi-project operation. Users are assigned per project, and each project has its own privilege model. OAuth clients are tied to projects, and authorisation decisions are constrained to that context. This model sharply reduces accidental cross-project access and keeps authority boundaries explicit.
BlackWall separates concerns with dedicated surfaces:
This separation helps avoid role confusion and supports safer operational practice. Admin activity, consent decisions, and token events are observable and attributable.
Alongside identity, BlackWall provides Cryptbin: a no-account encrypted sharing workflow for text and files. Encryption is client-side using AES-256-GCM, and the item key is held in the URL fragment so it is not sent to the server by default. The server stores ciphertext and metadata, not plaintext.
High-risk operations such as wrap, unwrap, update, and delete are protected with short-lived, operation-bound WebAuthn challenges. This creates a second barrier around secret handling and reduces the risk of misuse even if someone obtains a link without the required authenticator context.
Because authentication is WebAuthn-only, BlackWall eliminates password reuse and most credential phishing patterns. Attackers cannot replay captured passwords because there are none.
Mandatory PKCE, exact redirect URI checks, and token handling controls reduce common OAuth abuse paths such as code interception, open redirect abuse, and lax client validation.
Project isolation and scoped privileges ensure that access is bounded. If one account or client is compromised, controls help contain impact to the relevant project context rather than exposing everything.
Security-relevant events are logged with correlation context, including authentication outcomes, token actions, admin changes, and policy failures. This supports rapid investigation, clearer accountability, and better incident response.
Rate limiting, CSRF defenses, approval workflows, and WebAuthn-gated critical operations add layered controls so a single mistake or stolen session has less chance of turning into a full compromise.
BlackWall delivers a practical, security-first identity platform: passwordless authentication, standards-compliant OAuth and OIDC, project-aware authorisation, and high-visibility operations. It is built to make secure access decisions predictable, enforceable, and observable across real-world application estates.