Zalt/docs
Dashboard
ARCHITECTURE

How Zalt Works

A deep dive into Zalt's architecture, security model, and authentication flow.

Architecture

Client Application

Your web or mobile app integrates with Zalt SDK

  • React, Next.js, Vue, Angular
  • iOS, Android, React Native
  • Any HTTP client

Zalt API

Serverless authentication endpoints

  • AWS Lambda (Node.js 20.x)
  • API Gateway with WAF
  • Global edge deployment

Data Layer

Secure, isolated data storage

  • DynamoDB (multi-region)
  • KMS encryption at rest
  • Per-realm isolation

Authentication Flow

1

User submits credentials

Email/password or WebAuthn assertion

2

Rate limit check

IP and user-based throttling

3

Credential verification

Argon2id hash comparison

4

MFA challenge (if enabled)

TOTP or WebAuthn verification

5

Device trust evaluation

Fingerprint matching and risk scoring

6

Token generation

RS256 signed JWT with claims

7

Session creation

Refresh token stored securely

Security Features

RS256 JWT Tokens

Asymmetric signing with rotating keys. FIPS-compliant for healthcare.

Argon2id Password Hashing

32MB memory, timeCost 5, parallelism 2. Resistant to GPU attacks.

WebAuthn / Passkeys

Phishing-proof authentication. Mandatory for healthcare realms.

Device Fingerprinting

70% fuzzy matching threshold. Detects suspicious device changes.

Rate Limiting

Per-IP and per-user limits. Progressive delays on failures.

Audit Logging

Complete audit trail. HIPAA/GDPR compliant retention.

Token Configuration

Access Token

15 min

RS256 signed, kid header

Refresh Token

7 days

Rotated on each use

Grace Period

30 sec

Idempotent response