CAI-AUTH — Post-Quantum Identity Provider

Modern, sovereign, post-quantum auth — for firms that cannot entrust Auth0/Okta.

The problem

Auth0/Okta are US vendors (Schrems II + CLOUD Act = data transfer on request). Keycloak open-source lacks post-quantum + audit-ready compliance pack. Regulated companies (legal, financial, public) stay stuck.

How it works

1
Install CAI-AUTH in your infrastructure. Rust binary + Android APK + Chrome Extension + Python SDK. Reproducible builds via Nix.
2
Configure OIDC clients (your apps) via admin API or via BOS Console — UI or natural prompt in Claude/ChatGPT.
3
Users authenticate with Android APK (biometric + hardware-attested post-quantum signature) or device flow for smart-IoT/CLI.
4
Tokens post-quantum signed, real-time JTI revocation, full audit log. Compliant with PSD3, PCI-DSS 4.0.1, DORA, NIS2, HIPAA, EHDS, NIAP PP, DoD STIG.

Capabilities

Post-Quantum: hybrid post-quantum signatures (Patent Pending)

Tokens signed with the highest NIST-approved security category (Cat 5). Composite with classical signature — backward-compatible with non-PQ clients.

Full OIDC: 9 endpoints + 4 grant types

authorization_code + PKCE, client_credentials, refresh_token, RFC 8628 device_code (for smart-IoT/CLI). Discovery, JWKS, userinfo, introspect, revoke, end_session.

Real-time JTI revocation

RFC 9068 — compromised token revoked instantly across all applications. No 1-hour TTL wait.

18 audit-ready compliance documents

Statement of Applicability per regulation, threat model, certification path, key rotation policy, incident response runbook. Ready for external auditors.

Cosign + Rekor + SBOMs (supply chain)

All artifacts (Rust binary, APK, extension) signed via Cosign and registered to Rekor (transparency log). SBOM SPDX + CycloneDX with every release.

AI-native client integration

Paste the prompt into Claude/ChatGPT, describe the application, get JSON config, import in BOS Console. Fastest onboarding for new clients.

Tech stack

▸ Rust server (memory-safe, zero CVE class)
▸ Hybrid post-quantum signatures (Patent Pending)
▸ Post-quantum key encapsulation (Patent Pending)
▸ Cosign + Rekor transparency log
▸ Nix reproducible builds

Evidence

✓ Patent Pending — hybrid post-quantum signature scheme
✓ v0.17.4.9 LIVE on auth.caitech.ro (public beta)
✓ Red team 35/35 PASS pre-release
✓ 35-doc how-to library + 18-doc compliance pack

In the press

Antreprenor în România · April 25, 2026

CAI-AUTH: military-grade cybersecurity ecosystem developed in Romania

"Cybersecurity ecosystem developed by CAI Technology for secure authentication and digital identity protection, aligned with European NIS2 standards."

FAQ

Why post-quantum now, if quantum computers don't exist yet? +

'Harvest now, decrypt later' attack — adversaries collect encrypted tokens today to decrypt in 5-10 years. For long-lived tokens (refresh tokens, government sessions), PQ must be applied now, not when Q-day arrives.

Migration from Auth0 / Okta / Keycloak? +

Migration guide + import tooling for each. Keycloak migration is most direct (similar OIDC pattern). From Auth0/Okta requires planning conversation — active users, open sessions, MFA enrollment.

Compatibility with non-PQ clients? +

100%. Hybrid signature scheme — a client that doesn't support post-quantum signature verifies the classical signature component and accepts the token. Backward-compatible by design.

Open source? +

Server component: source-available with commercial license. Python SDK + Chrome Extension: MIT. APK: closed-source with reproducible build (you can verify the binary against the code).

We start with a 30-minute conversation.

Free AI-readiness audit for companies with 50+ employees. We reply within 24 hours.

Open contact form →