Identity & MFA.
MeltyBase treats identity as the primary security perimeter. Our independent authentication stack provides enterprise-grade protection, from biometric handshakes to hardware-enforced multi-factor authentication.
AAL2 Enforcement
MeltyBase implements the Authenticator Assurance Level 2 (AAL2) standard. High-risk administrative actions—including billing management, license rotation, and production schema merges—require a verified AAL2 challenge.
// AAL2 Middleware Enforcement
func RequireAAL2(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims := GetUserFromContext(r.Context())
if claims.AAL != "aal2" {
http.Error(w, "MFA required", 403)
return
}
next.ServeHTTP(w, r)
})
}
WebAuthn & Biometrics
Eliminate password-based vulnerabilities with native WebAuthn (FIDO2) support. Users can authenticate using biometric hardware including TouchID, FaceID, and physical security keys (e.g. YubiKey).
TouchID / FaceID
Direct biometric handshake between the browser and your MeltyBase Hub.
Hardware Keys
Support for physical FIDO2 tokens for air-gapped or high-security environments.
Enterprise SAML 2.0 SSO
For large organizations, MeltyBase provides native SAML 2.0 integration. Sync your team's identities with Okta, Azure AD, or Google Workspace while maintaining absolute data sovereignty.
- Metadata Exchange: Automated SP/IdP metadata generation via the
SAML_ROOT_URL. - Role Mapping: Map enterprise groups directly to MeltyBase roles (Admin, Developer, Viewer).
Argon2id Hashing
MeltyBase utilizes the Argon2id algorithm for password hashing—the winner of the Password Hashing Competition. It provides superior resistance to GPU-based cracking and side-channel attacks.
The Identity Firewall
Every API key in MeltyBase can be restricted by an IP Firewall. This prevents unauthorized access even if a key is accidentally leaked in client-side code.
{
"key_prefix": "mb_live_",
"allowed_ips": ["192.168.1.0/24", "10.0.0.5"],
"rate_limit": "5000/hour"
}