Passwordless auth that
never leaves the device

No passwords. No passkeys. No phishing.
Ship device-bound authentication in under 5 minutes.

npm install @hawcx/react
Get Started How It Works

Integrate in minutes

A state machine drives the UI. You render steps, Hawcx handles the crypto.

Frontend — React
import { HawcxProvider, useAuthState, useAuthActions } from '@hawcx/react';

function LoginFlow() {
  const state = useAuthState();
  const { start, submitCode } = useAuthActions();

  if (state.status === 'idle')
    return <button onClick={() => start(email)}>Continue</button>;

  if (state.status === 'step' && state.step.type === 'enter_code')
    return <button onClick={() => submitCode(code)}>Verify</button>;

  if (state.status === 'completed')
    // Send authCode + codeVerifier to your backend
    return <p>Authenticated!</p>;
}
Backend — Node.js
import { HawcxOAuth } from '@hawcx/oauth-client';

const oauth = new HawcxOAuth({
  configId: process.env.HAWCX_CONFIG_ID
});

app.post('/exchange', async (req, res) => {
  const { authCode, codeVerifier } = req.body;
  const { claims } = await oauth.exchangeCode(
    authCode, codeVerifier
  );
  // claims.sub = user ID
  // claims.email = verified email
  // Create your own session here
  res.json({ userId: claims.sub });
});

Why Hawcx

Device-Bound

Credentials never leave the device. No cloud sync, no transfer, no phishing surface.

Zero-Knowledge

The server receives only a proof — never the secret. Nothing to steal, nothing to leak.

Quantum-Resilient

Ephemeral per-session keys. No long-lived public keys for harvest-now-decrypt-later attacks.

Choose your stack

Frontend SDKs handle the auth flow. Backend SDKs verify the result.

Web
React & Vanilla JS
Android
Kotlin with Smart Connect
iOS
Swift with Secure Enclave
React Native
TypeScript bridge
Flutter
Dart bridge
Node.js
Express, Fastify
Python
Flask, Django, FastAPI

Ready to go passwordless?

Follow the 5-minute guide and ship auth today.

Start Building