Users expect intuitive, secure functionality not just in one key area, but across the application. Stormpath gives you best-in-class user management and authentication through a developer-friendly, secure REST+JSON API. In addition to authenticating users with a single call, Stormpath handles access control, password security, group management, and security workflows like user registration, email account verification and password resets.
Stormpath helps developers by providing a consistent, familiar, reusable user management API for both internal & external applications, across different platforms, application frameworks and programming languages.
Focus on the features your users love and the functionality that will drive your business. You don’t need to be an expert in authentication and encryption to create a trusted front door to your application. That’s what Stormpath is for.
Stormpath automates your user authentication securely with one simple API call -- no code maintenance, certificate management, or workflows to build.
Here’s how it works:
- Collect a user's username (or email) and password
- Post the encoded data to Stormpath over HTTPS, either directly to the API or through one of our SDKs
- We pass the success 200 result (or human-readable error) back to your application, with a link to the resource URL.
Stormpath allows you to create and store any number of user accounts. Assign your users to groups or associate entire user stores with one or many applications.
There is no cap on the number of accounts you can add or the number of directories you can create, and we don’t charge per user. For one monthly subscription, your user management can be as complex or as simple as you need it to be, and all of it is accessible and manageable via both the API and our admin console.
Stormpath supports role based access control through the ‘group’ resource. Simply assign an account to the appropriate group(s) via our API or admin console. You can then design privileges in your application around specific roles such as users and admins.
With Stormpath, your applications have full access to all of your group data, but you don’t have to build out and maintain custom data models or management logic. Stormpath can automatically limit who can log into your applications based on their directory or group memberships. Stormpath also helps you prioritize those login sources with a simple drag and drop interface in our admin console.
Stormpath can allow your users to log into all your applications using the same credentials by connecting multiple applications to shared directories. No matter how many user directories you have, you can configure Stormpath to allow your application to see all your directories as a single user store. In addition to creating a unified user-experience, centralized authentication makes provisioning, disabling, and managing a user simple for admins.
Stormpath takes password security very seriously: we use SHA-512 and HMAC algorithms with large, secure, randomly generated salts. We add computational complexity to the hashing process to make it cost prohibitive for an attacker to breach even a single password. We also use other techniques, like authenticating requests with HMAC digests and advanced key derivation algorithms. It would effectively take an enormous amount of computing power to crack even a single Stormpath-secured password.
Additionally, Stormpath helps encourage strong password security for your own users with built-in enforcement options like minimum password length and required special characters.
Automated password reset, account registration, and verification workflows boost the security of your application. With Stormpath, they come standard. Ensure passwords are reset in a secure way and verify new user accounts without a single line of code. You can also customize workflow emails with your own branded HTML. Stormpath operates behind the scenes so your users only see your application and your brand.
While Stormpath offers a robust REST+JSON API to manage users programmatically, you can also manage your applications and login sources through our intuitive admin console. It’s simple to use, and friendly even for non-technical admins.
Stormpath also securely mirrors on-premise LDAP to a cloud directory, so you can authenticate users without dealing with the firewall. Applications can leverage user stores in existing LDAP installations easily using Stormpath as an intermediary. An agent installed behind the corporate firewall securely synchronizes LDAP to a Stormpath cloud directory through outbound push updates. Your applications can now access your users via our secure, developer-friendly REST API. Stormpath supports communication with any Directory Server that uses the LDAP v3 protocol, including Open LDAP, Apache DS, Solaris LDAP, Novell eDirectory, and RedHat DS.
Great application security can be extremely time consuming, even for world-class teams. Out of the box, Stormpath defaults your user management to security best practices: the best hashing and encryption algorithms, secure user workflows, strong policies and procedures.
- Our servers are administered using Public key, multi-factor authentication
- Communication with end users is encrypted with 256-bit AES extended validation SSL
- High-entropy password security with strong hashing and salting
- Multi-tenant architecture securely virtualizes separate tenants for every customer.
Because user management is a mission-critical component of your application, we go to great lengths to ensure availability:
- Highly available, clustered data store with double or triple redundancy
- Low latency, multi-zone infrastructure on Amazon Web Services
Stormpath was built to handle massive scale, and is capable of handling millions of users per application, without scaling your project costs, load times or maintenance overhead.
We use advanced authorization with every request to provide full end-to-end data protection and ensure your data is never tampered with. We also carefully maintain data security in database maintenance processes, such as backups.
Remember, your user data is always yours. If at any point you choose to migrate off Stormpath, exporting and deleting your data is easy. You can pull your data via API, and if requested, we will permanently delete your tenant, including all your user data, from our system.
Integrating Stormpath with your application is simple. Here are the basic steps to get up and running:
- Register with Stormpath for free
- Create your API key to authenticate all your calls to the Stormpath API
- Configure your REST client for HTTPS authentication and JSON or install one of our SDKs
- Create your directories in Stormpath
- Register your applications
- Add accounts and start authenticating