| Token | Purpose | Expiry | Storage |
|---|---|---|---|
| `tempToken` | OTP verification, flow state | 10 min | Memory only |
| `onboardingToken` | Onboarding step progression | 30 min | Memory only |
| `onboardingRefreshToken` | Refresh onboarding token | 24 hours | Secure storage |
| `accessToken` | API authentication | 1 hour | Secure storage |
| `refreshToken` | Get new access tokens | 30 days | Secure storage |
| `deviceVerificationToken` | New device verification | 10 min | Memory only |
| Step | Enum Value | What Happens | Metadata Provided |
|---|---|---|---|
| 1 | `INITIATED` | Account created, OTP sent | - |
| 2 | `OTP_VERIFIED` | OTP confirmed, ready for age | `firstName`, `lastName`, `profilePicture` (from OAuth) |
| 3 | `AGE_VERIFIED` | Age confirmed, names saved | `suggestedUsernames` (5 smart suggestions) |
| 4 | `USERNAME_SET` | Username chosen | - |
| 5 | `INTERESTS_SELECTED` | Interests saved | `firstName`, `lastName`, `username`, `suggestedDisplayName`, `profilePicture` |
| 6 | `COMPLETED` | Profile complete, tokens issued | - |
| Field | Type | Description |
|---|---|---|
| `success` | boolean | `true` for successful operations, `false` for errors |
| `httpStatus` | string | HTTP status name (OK, BAD\_REQUEST, NOT\_FOUND, etc.) |
| `message` | string | Human-readable message |
| `action_time` | string | ISO 8601 timestamp |
| `data` | object/string | Response payload or error details |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| identifier | string | Yes | Phone (+255...), email, or @username | Valid format |
| deviceId | string | Yes | Device fingerprint | Non-empty |
| deviceName | string | Yes | Human-readable device name | Non-empty |
| platform | string | Yes | Device platform | enum: `IOS`, `ANDROID`, `WEB` |
| Field | Description |
|---|---|
| tempToken | Temporary token for next step |
| maskedIdentifier | Masked phone/email for display |
| provider | Identifier type: `PHONE`, `EMAIL` |
| otpExpiresIn | OTP validity in seconds (600 = 10 minutes) |
| isNewUser | Whether this is a new registration |
| onboardingComplete | Whether user completed onboarding |
| currentStep | Current onboarding step |
| hasPassword | Whether user has set a password |
| requiresOtpChannelSelection | If true, user must choose OTP channel |
| availableChannels | List of available OTP channels |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| tempToken | string | Yes | Token from /auth/start | Valid JWT |
| otp | string | Yes | 6-digit OTP code | Exactly 6 digits |
| deviceId | string | No | Device fingerprint | - |
| deviceName | string | No | Human-readable device name | - |
| platform | string | No | Device platform | enum: `IOS`, `ANDROID`, `WEB` |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| tempToken | string | Yes | Token from /auth/start | Valid JWT |
| channel | string | Yes | Preferred OTP channel | enum: `EMAIL`, `PHONE` |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| provider | string | Yes | OAuth provider | enum: `GOOGLE`, `APPLE` |
| code | string | Yes | Authorization code | Non-empty |
| redirectUri | string | Yes | Redirect URI | Must match OAuth config |
| state | string | No | State for CSRF protection | - |
| deviceId | string | No | Device fingerprint | - |
| deviceName | string | No | Device name | - |
| platform | string | No | Device platform | enum: `IOS`, `ANDROID`, `WEB` |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| onboardingToken | string | Yes | Token from previous step | Valid JWT |
| firstName | string | Yes | User's first name | 1-50 characters |
| lastName | string | Yes | User's last name | 1-50 characters |
| birthDate | string | Yes | Date of birth | ISO date (YYYY-MM-DD), must be in past |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| onboardingToken | string | Yes | Token from previous step | Valid JWT |
| username | string | Yes | Chosen username | 3-30 chars, starts with letter, alphanumeric + underscore |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| onboardingToken | string | Yes | Token from previous step | Valid JWT |
| contactValue | string | Conditional | Email or phone to verify | Required only if `requiresInput = true` |
| Parameter | Type | Required | Description |
|---|---|---|---|
| onboardingToken | string | Yes | Current onboarding token |
| tempToken | string | Yes | Token returned from initiate endpoint |
| otp | string | Yes | 6-digit OTP code |
| Parameter | Type | Required | Description |
|---|---|---|---|
| onboardingToken | string | Yes | Current onboarding token |
| tempToken | string | Yes | Token from initiate endpoint |
| newContactValue | string | Yes | New email or phone number |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| onboardingToken | string | Yes | Token from previous step | Valid JWT |
| interestIds | array | Yes | List of category UUIDs | Min 3 items |
| Header | Type | Required | Description |
|---|---|---|---|
| X-Device-Id | string | No | Device fingerprint |
| X-Device-Name | string | No | Device name |
| X-Platform | string | No | `IOS`, `ANDROID`, or `WEB` |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| onboardingToken | string | Yes | Token from previous step | Valid JWT |
| displayName | string | Yes | Public display name | 1-50 characters |
| bio | string | No | User biography | Max 160 characters |
| profilePictureUrl | string | No | Profile picture URL | Valid URL |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| file | file | Yes | Profile picture file | Image files only, max 25MB |
| X-Onboarding-Token | header | Yes | Token from previous step | Valid onboarding JWT |
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| resetToken | string | Yes | Token from verify-otp | Valid JWT |
| newPassword | string | Yes | New password | Min 8 characters |
| confirmPassword | string | Yes | Confirmation | Must match newPassword |
| Header | Type | Required | Description |
|---|---|---|---|
| Authorization | string | Yes | `Bearer {accessToken}` |
| Header | Type | Required | Description |
|---|---|---|---|
| Authorization | string | Yes | `Bearer {accessToken}` |
| X-Session-Id | string | No | Current session ID |
| Parameter | Type | Required | Description |
|---|---|---|---|
| sessionId | string | Yes | Session UUID to revoke |
| Header | Type | Required | Description |
|---|---|---|---|
| Authorization | string | Yes | `Bearer {accessToken}` |
| X-Device-Id | string | No | Current device ID |
| Parameter | Type | Required | Description |
|---|---|---|---|
| deviceId | string | Yes | Device record UUID |
| Parameter | Type | Required | Description |
|---|---|---|---|
| provider | string | Yes | `GOOGLE` or `APPLE` |
| HTTP Code | Status | Common Causes |
|---|---|---|
| 400 | BAD\_REQUEST | Invalid request data, item already exists |
| 401 | UNAUTHORIZED | Missing/invalid/expired token |
| 403 | FORBIDDEN | Invalid OTP, max attempts exceeded, blocked |
| 404 | NOT\_FOUND | Resource doesn't exist |
| 422 | UNPROCESSABLE\_ENTITY | Validation errors |
| 429 | TOO\_MANY\_REQUESTS | Rate limit exceeded |
| 500 | INTERNAL\_SERVER\_ERROR | Server error |
| Error Message | HTTP Code | Resolution |
|---|---|---|
| "Token has expired" | 401 | Refresh token or re-authenticate |
| "Invalid OTP code" | 403 | Re-enter correct code |
| "Maximum verification attempts exceeded" | 403 | Request new OTP |
| "This phone is blocked" | 400 | Contact support |
| "Account not found" | 404 | Check identifier |
| "Security alert: Token reuse detected" | 401 | Login again |
| "Login blocked: Too many failed attempts" | 400 | Wait or reset password |
| "You must be at least 13 years old" | N/A | Cannot use service |
| Aspect | iOS | Android | Web |
|---|---|---|---|
| **Key Storage** | Secure Enclave | StrongBox / TEE | Memory only |
| **Hardware Protected** | โ Yes | โ Yes | โ No |
| **Key Extractable** | โ Never | โ Never | N/A (ephemeral) |
| **Forgery Possible** | โ No | โ No | โ ๏ธ Harder |
| **Trust Level** | โญโญโญโญโญ | โญโญโญโญโญ | โญโญโญ |
| **Trust Duration** | 30 days | 30 days | 7 days |
| **Sensitive Actions** | Some without OTP | Some without OTP | ALWAYS OTP |
| Field | Description |
|---|---|
| `deviceId` | SHA256 hash of public key, prefixed with platform |
| `publicKey` | Base64-encoded ECDSA P-256 public key |
| `nonce` | Challenge from `/auth/challenge` |
| `timestamp` | Current time in milliseconds |
| `signature` | Sign(`nonce|timestamp|deviceId`, privateKey) |
| `platform` | `IOS`, `ANDROID`, or `WEB` |
| Field | Description |
|---|---|
| `publicKey` | Ephemeral public key (generated in memory) |
| `fingerprint` | Browser fingerprint hash |
| Field | Type | Purpose | Can Change? | Used In |
|---|---|---|---|---|
| `id` | UUID | Primary key | โ Never | DB relations |
| `systemUsername` | String | Internal identifier | โ Never | JWT tokens, internal APIs |
| `userName` | String | Public @handle | โ Yes | Profile URL, mentions, search, display |
| Auth Method Compromised | Can Attacker Access Account? |
|---|---|
| Password leaked | โ No - needs device OTP or phone OTP |
| Email hacked | โ No - sensitive actions need phone OTP |
| Google hacked | โ No - new device needs phone OTP |
| Apple hacked | โ No - new device needs phone OTP |
| Phone stolen (unlocked) | โ ๏ธ Partial - but needs password for sensitive actions |
| Phone + Password both | โ Yes - full access (this is expected) |
| Existing Account State | OAuth Provider | Action |
|---|---|---|
| Email verified + password | Google (same email) | Prompt to link |
| Email verified + no password | Google (same email) | Prompt to link |
| Email unverified | Google (same email) | Auto-link (Google verified it) |
| Phone only (no email set) | Google (new email) | Prompt to add email or create new |
| Email verified but different | Google (different email) | Create new account |
| Action | OTP Required? | Additional Verification |
|---|---|---|
| Change password | โ Phone OTP | Current password (if set) |
| Change email | โ Phone OTP | - |
| Change phone | โ Old phone OTP + New phone OTP | - |
| Link OAuth provider | โ Phone OTP | - |
| Unlink OAuth provider | โ Phone OTP | - |
| Delete account | โ Phone OTP | Password (if set) |
| View full payment methods | โ Phone OTP | - |
| Add payment method | โ No | - |
| Remove payment method | โ Phone OTP | - |
| Large purchase (>$100) | โ๏ธ Configurable | - |
| Export account data | โ Phone OTP | - |
| Change security settings | โ Phone OTP | Password (if set) |
| Provider | Can Signup? | Can Login? | Provides Email? | Provides Phone? | Trust Level |
|---|---|---|---|---|---|
| Phone + OTP | โ | โ | โ | โ | HIGH |
| Email + OTP | โ | โ | โ | โ | MEDIUM |
| Email + Password | โ (need OTP first) | โ | โ | โ | MEDIUM |
| Google OAuth | โ | โ | โ | โ | MEDIUM |
| Apple OAuth | โ | โ | โ (may be relay) | โ | MEDIUM |
| Password only | โ | โ (trusted device) | โ | โ | LOW |
| Code | HTTP Status | Description |
|---|---|---|
| `VALIDATION_ERROR` | BAD\_REQUEST | Request validation failed |
| `INVALID_OTP` | BAD\_REQUEST | OTP code is incorrect |
| `OTP_EXPIRED` | BAD\_REQUEST | OTP has expired |
| `INVALID_CREDENTIALS` | UNAUTHORIZED | Wrong password |
| `TOKEN_EXPIRED` | UNAUTHORIZED | Access token expired |
| `REFRESH_TOKEN_EXPIRED` | UNAUTHORIZED | Refresh token expired |
| `UNAUTHORIZED` | UNAUTHORIZED | Not authenticated |
| `FORBIDDEN` | FORBIDDEN | Not allowed |
| `USER_NOT_FOUND` | NOT\_FOUND | User doesn't exist |
| `ACCOUNT_EXISTS` | CONFLICT | Account already exists |
| `USERNAME_TAKEN` | CONFLICT | Username is taken |
| `PHONE_ALREADY_REGISTERED` | CONFLICT | Phone belongs to another account |
| `PHONE_TEMPORARILY_RESERVED` | CONFLICT | Phone claimed but unverified |
| `ACCOUNT_LOCKED` | LOCKED | Too many failed attempts |
| `RESEND_COOLDOWN` | TOO\_MANY\_REQUESTS | Wait before resending OTP |
| `RATE_LIMITED` | TOO\_MANY\_REQUESTS | Too many requests |
| `WEAK_PASSWORD` | UNPROCESSABLE\_ENTITY | Password doesn't meet requirements |
| `UNDERAGE` | UNPROCESSABLE\_ENTITY | User is under minimum age |
| `MIN_INTERESTS_REQUIRED` | UNPROCESSABLE\_ENTITY | Must have minimum interests |
| `MAX_INTERESTS_REACHED` | UNPROCESSABLE\_ENTITY | Maximum interests reached |
| `SERVER_ERROR` | INTERNAL\_SERVER\_ERROR | Internal server error |
| Action | Score | Notes |
|---|---|---|
| Explicitly selected (onboarding) | +100 | Base score for picked interests |
| View post | +1 | Quick glance |
| Like post | +3 | Shows interest |
| Comment on post | +5 | Higher engagement |
| Share post | +7 | Strong signal |
| Save/Bookmark | +5 | Wants to revisit |
| Follow user in category | +10 | Committed interest |
| View product | +2 | Shopping interest |
| Add to cart | +8 | Purchase intent |
| Purchase product | +15 | Strongest signal |
| View event | +2 | Curious |
| Attend event | +12 | Committed |
| Search term | +4 | Active seeking |
| Time spent (per 30sec) | +1 | Passive engagement |
| Scroll past quickly | -1 | Not interested |
| Hide/Not interested | -20 | Explicit dislike |
| Report content | -30 | Strong negative |
| User Action | System Tracks |
|---|---|
| Views post | `POST_VIEW` on post's categories |
| Likes post | `POST_LIKE` on post's categories |
| Comments on post | `POST_COMMENT` on post's categories |
| Shares post | `POST_SHARE` on post's categories |
| Saves post | `POST_SAVE` on post's categories |
| Views product | `PRODUCT_VIEW` on product's category |
| Adds to cart | `PRODUCT_CART` on product's category |
| Purchases | `PRODUCT_PURCHASE` on product's category |
| Views shop | `SHOP_VIEW` on shop's categories |
| Follows shop | `SHOP_FOLLOW` on shop's categories |
| Views event | `EVENT_VIEW` on event's categories |
| RSVPs to event | `EVENT_RSVP` on event's categories |
| Follows user | `USER_FOLLOW` on user's primary categories |
| Searches | `SEARCH` on matched categories |
| Scrolls past quickly | `SCROLL_PAST` (negative) |
| Clicks "Not interested" | `HIDE_CONTENT` (strong negative) |
| Method | Endpoint | Description |
|---|---|---|
| POST | `/api/v1/admin/interests/categories` | Create category |
| GET | `/api/v1/admin/interests/categories` | List all (with stats) |
| PUT | `/api/v1/admin/interests/categories/{id}` | Update category |
| DELETE | `/api/v1/admin/interests/categories/{id}` | Deactivate category |
| PUT | `/api/v1/admin/interests/categories/reorder` | Reorder categories |
| GET | `/api/v1/admin/interests/categories/{id}/analytics` | Get analytics |
| Method | Endpoint | Description |
|---|---|---|
| GET | `/api/v1/interests/categories` | Get active categories |
| Method | Endpoint | Description |
|---|---|---|
| GET | `/api/v1/interests/me` | Get my interests |
| PUT | `/api/v1/interests/me` | Update all explicit |
| POST | `/api/v1/interests/me/{id}` | Add single interest |
| DELETE | `/api/v1/interests/me/{id}` | Remove single interest |
| POST | `/api/v1/interests/me/{id}/hide` | Hide category |
| DELETE | `/api/v1/interests/me/{id}/hide` | Unhide category |
| GET | `/api/v1/interests/me/hidden` | Get hidden list |
| Device Status | Last Activity | Password Set? | Action |
|---|---|---|---|
| New (unknown) | Never | Yes | OTP first โ then password โ trust device |
| New (unknown) | Never | No | OTP only โ trust device |
| Known trusted | < 30 days | Yes | Password only โ |
| Known trusted | < 30 days | No | Auto-login or OTP |
| Known trusted | > 30 days | Yes | OTP first โ then password โ re-trust |
| Known trusted | > 30 days | No | OTP โ re-trust |
| Known untrusted | Any | Any | OTP required |
| Any (suspicious) | Any | Any | OTP required + security alert |
| \# | Step | Applies To | Endpoint |
|---|---|---|---|
| 0 | OTP / OAuth entry | All | `/auth/start` + `/auth/verify` or `/auth/login/oauth` |
| 1 | Age & name | All | `/auth/onboarding/age` |
| 2 | Username | All | `/auth/onboarding/username` |
| 3 | Contact verify (PHONE) | Email + OAuth only | `/auth/onboarding/contact/initiate` + `/contact/verify` |
| 4 | Interests | All | `/auth/onboarding/interests` |
| 5 | Profile | All | `/auth/onboarding/profile` |
| Signup Method | Required Contact | Reason |
|---|---|---|
| Phone | Phone = real identity, M-Pesa already linked | |
| Phone (blocking) | Needed for M-Pesa payments | |
| Google / Apple | Phone (blocking) | OAuth gives email, phone still required for payments |
| Token | Expiry | Purpose |
|---|---|---|
| `onboardingToken` | 7 days | Active onboarding flow, resets each step |
| `onboardingRefreshToken` | 30 days | Safety net if token expires mid-flow |
| `accessToken` | Configured | Normal app access |
| `refreshToken` | Configured | Access token rotation |
| Input pattern | Detected as |
|---|---|
| Starts with `+` | Phone |
| Contains `@` + domain | |
| Otherwise | Username |
| Login Method | New Device Action | Reason |
|---|---|---|
| OTP | None | OTP = already verified |
| Password | Require OTP | Password could be stolen |
| OAuth | Require OTP | Token could be compromised |
| Signal | Low Risk | High Risk |
|---|---|---|
| Location | Same country | New country |
| Device | Similar OS | Different OS |
| IP | Normal | VPN / Proxy |
| Account | Active | Dormant |
| Time | Normal hours | Unusual hours |
| Path | Steps |
|---|---|
| Phone | OTP โ Age โ Username โ Interests โ Profile โ Home |
| OTP โ Age โ Username โ **Verify Phone** โ Interests โ Profile โ Home | |
| OAuth | Authorize โ Age โ Username โ **Verify Phone** โ Interests โ Profile โ Home |
| Has Password? | Options |
|---|---|
| No | OTP only |
| Yes | Choose: OTP or Password |
| Login Method | New Device Action |
|---|---|
| OTP | None (OTP = verification) |
| Password | OTP required |
| OAuth | OTP required |
| Feature | Requires Email? | Behaviour |
|---|---|---|
| Browse feed | No | Free |
| Buy ticket | No | Free |
| Receive ticket via email | Yes | Nudge to add email |
| Account recovery | Yes | Nudge to add email |
| Principle | Implementation |
|---|---|
| Passwordless default | OTP-based, password optional (add later in settings) |
| Device trust | Hardware-bound keys (mobile), fingerprint (web) |
| Risk-based | Dynamic verification based on risk score |
| Age-gated | 18+ full access, tiered restrictions below |
| Has Password? | Login Options |
|---|---|
| No | OTP only (passwordless) |
| Yes | Choose: OTP or Password |
| Login Method | New Device Handling |
|---|---|
| OTP | None needed โ OTP is verification |
| Password | OTP required on new device |
| OAuth | OTP required on new device |
| Platform | Method | Trust Level |
|---|---|---|
| iOS | Secure Enclave key pair | โญโญโญโญโญ High |
| Android | StrongBox/TEE Keystore | โญโญโญโญโญ High |
| Web | Fingerprint + session key | โญโญโญ Medium |
| Signal | Low (0) | Medium | High |
|---|---|---|---|
| Location | Same city | Same country (+10) | New country (+25) |
| Device | Known (0) | Similar OS (+10) | New OS (+20) |
| IP | Normal ISP (0) | Different ISP (+10) | VPN/TOR (+30) |
| Time | Normal hours (0) | Unusual (+10) | 2-5 AM (+15) |
| Failed attempts | None (0) | 1-2 (+10) | 3+ (+25) |
| Velocity | Normal (0) | Multiple (+15) | Rapid (+30) |
| Device signature | Valid (-20) | Missing (+15) | Invalid (+40) |
| Score | Risk Level | Action |
|---|---|---|
| 0-30 | ๐ข Low | Allow |
| 31-60 | ๐ก Medium | Soft verify (email link) |
| 61-85 | ๐ด High | Phone OTP required |
| 86-100 | โ Critical | Block + alert user |
| Age | Access Level |
|---|---|
| 18+ | Full access |
| 13-17 | Restricted (no purchases, filtered content) |
| Under 13 | Blocked (COPPA) |
| Account Age | Allowed Changes |
|---|---|
| Day 0 (today) | 5 changes |
| 1-30 days | 1 per month |
| 1-12 months | 1 per month |
| 12+ months | 1 per year |
| SYSTEM accounts | Never |
| Type | Examples | Username Change |
|---|---|---|
| NORMAL | Regular users | Limited (above) |
| SYSTEM | @nextgate, @admin, @support | Never |
| VERIFIED | @nike, @cocacola | Requires approval |
| Action | What It Does | Requires |
|---|---|---|
| Sign out | Current device only | Nothing |
| Sign out others | All except current | OTP/Password |
| Sign out all | Everything | OTP/Password |
| Endpoint | Purpose |
|---|---|
| `POST /auth/signup/initiate` | Start signup (phone/email) |
| `POST /auth/signup/verify-otp` | Verify OTP |
| `POST /auth/signup/age` | Submit birthdate |
| `POST /auth/signup/username` | Set username |
| `POST /auth/signup/interests` | Select interests |
| `POST /auth/signup/profile` | Complete profile (optional) |
| Endpoint | Purpose |
|---|---|
| `POST /auth/login/initiate` | Start login |
| `POST /auth/login/otp` | Login with OTP |
| `POST /auth/login/password` | Login with password |
| `GET /auth/challenge` | Get nonce for device signing |
| Endpoint | Purpose |
|---|---|
| `POST /auth/device/register` | Register device (public key) |
| `POST /auth/device/verify` | Verify new device OTP |
| `GET /auth/devices` | List trusted devices |
| `DELETE /auth/devices/{id}` | Revoke device |
| Endpoint | Purpose |
|---|---|
| `GET /auth/sessions` | List active sessions |
| `POST /auth/sign-out` | Current device |
| `POST /auth/sign-out-others` | All except current |
| `POST /auth/sign-out-all` | Everything |
| Entity | Purpose |
|---|---|
| `DeviceKey` | Hardware-bound public keys |
| `UserSession` | Active sessions |
| `LoginAttempt` | Risk scoring data |
| `BlockedUser` | Blocked identifiers/devices |
| `InterestCategory` | Admin-managed interests |
| `UserInterest` | User selections |
| `UsernameChangeHistory` | Track changes |
| Field | Change |
|---|---|
| `password` | Make nullable |
| `birthDate` | Add |
| `displayName` | Add |
| `accountType` | Add (NORMAL, SYSTEM, VERIFIED) |
| `accountTier` | Add (FULL, RESTRICTED, MINOR) |
| `authProvider` | Add (PHONE, EMAIL, GOOGLE, APPLE) |
| `onboardingStep` | Add |
| `usernameLastChangedAt` | Add |
| `usernameChangeCount` | Add |
| Login Method | Known Device | New Device |
|---|---|---|
| OTP | โ Home | โ Home (OTP is verification) |
| Password | โ Home | โ OTP required โ Home |
| OAuth | โ Home | โ OTP required โ Home |
| Action | When | Where |
|---|---|---|
| Device Registration | First app launch (before any auth) | Mobile only |
| Web Session Init | First visit (before any auth) | Web only |
| Risk Scoring | After credentials verified, before home | Login only |
| Device Verification OTP | After risk score (if needed) | Login only (new device + password/OAuth) |
| Scenario | Challenge? | Signature Validated? |
|---|---|---|
| **Signup** | โ No | โ No (device not registered yet) |
| **Login - Known device (mobile)** | โ Yes | โ Yes (must match) |
| **Login - Known device (web)** | โ Yes | ๐ก Fingerprint checked |
| **Login - Unknown device** | โ Yes | โ No pubkey stored yet |
| Step | Signup | Login |
|---|---|---|
| Device key generation | โ Before auth (app launch) | โ Before auth (app launch) |
| OTP verification | โ To verify phone/email | โ As login method OR device verify |
| Age gate | โ After OTP | โ Not needed |
| Username | โ Required | โ Not needed |
| Interests | โ Required | โ Not needed |
| Risk scoring | โ Not needed (new account) | โ After credentials verified |
| Device verification OTP | โ Not needed (first device) | โ If new device + high risk |
| Device registration | โ End of onboarding | โ After device verification |
| Action | What It Does | Requires |
|---|---|---|
| **Sign out** | End current session | Nothing |
| **Sign out other devices** | End all except current | OTP or Password |
| **Sign out all devices** | End everything | OTP or Password |
| Endpoint | Purpose |
|---|---|
| `POST /auth/sign-out` | Current device |
| `POST /auth/sign-out-others` | All except current |
| `POST /auth/sign-out-all` | Everything |
| `DELETE /auth/sessions/{id}` | Specific session |
| Feature | NextGate | Twitter/X | Banking Apps | ||
|---|---|---|---|---|---|
| Passwordless default | โ Yes | โ No | โ No | โ Yes | ๐ก Some |
| Hardware-bound keys | โ Yes | โ No | โ No | โ No | โ Yes |
| Risk-based auth | โ Yes | ๐ก Basic | ๐ก Basic | โ No | โ Yes |
| Device trust | โ Advanced | ๐ก Basic | ๐ก Basic | ๐ก Basic | โ Advanced |
| Impossible travel detection | โ Yes | ๐ก Limited | ๐ก Limited | โ No | โ Yes |
| Session management | โ Full | โ Full | โ Full | ๐ก Limited | โ Full |
| Age verification | โ Tiered | ๐ก Basic | ๐ก Basic | โ No | โ Yes |
| Username change limits | โ Smart | ๐ก 14 days | ๐ก Limited | โ N/A | โ N/A |
| 2FA options | โ OTP | โ OTP/App | ๐ฐ Paid | โ No | โ Multiple |
| Over | Advantage |
|---|---|
| Instagram/Twitter | Hardware-bound device keys, passwordless default |
| Multi-identifier login, risk scoring, age gates | |
| Basic apps | Challenge-response auth, impossible travel detection |
| Feature | Impact | Effort |
|---|---|---|
| Passkeys/WebAuthn | +0.5 rating | Medium |
| Backup codes | +0.2 rating | Low |
| Breach monitoring | +0.2 rating | Low |
| ML anomaly detection | +0.3 rating | High |