Identity, organizations, machine auth, webhooks, notifications, and agents. One model under all of them. Wire it in once.
Identity, organizations, machine auth, webhooks, notifications, and agents. Built as one product, not six vendors stitched together.
wacht auth.signIn()Password, magic link, passkey, MFA, OAuth across 25+ providers, SAML SSO. RBAC, session management, and hosted UI included.
wacht orgs.create()The B2B model you would have built. Workspaces, invitations, roles, domain auto-join, per-org config. Already there.
wacht api.issueKey()Issue API keys, OAuth apps, and machine credentials from one surface. Gate by scope, tenant, and rate limit before traffic ever reaches your API.
wacht webhooks.publish()Every product event streams to your warehouse, SIEM, or customer webhook with at-least-once delivery, signed payloads, retries, and replay.
wacht notify.send()Email, in-app, and realtime channels in one API. Templated payloads, per-user preferences, delivery tracking. No notification stack to run.
wacht agents.run()Each agent runs in its own sandbox. Bring your own LLM keys and storage. Approvals and hooks on every tool call.
Wire identity in once. The rest speaks the same user and org model. No glue, no stitching.
Drop in sign-in, sign-up, and account UI. Three lines to wire it in. Email, social, passkeys, MFA, and recovery already work. Your brand throughout, not ours.
Agents run in their own sandbox. You bring the keys and the storage. Approvals fire on every tool call.
The B2B model you would have built. Organizations, workspaces, memberships, invitations, domain auto-join. Roles and scopes enforced everywhere they need to be.
Every product event streams to your warehouse, SIEM, or webhook with at-least-once delivery, retries, and signed payloads. Idempotency and replay built in.
Issue API keys, OAuth apps, and machine credentials from the same product surface. Gate by scope, tenant, and rate limit before traffic reaches your API.
{ "token": "sk_live_4f9a · · · 7e21", "audience": "console.wacht.dev" }
Typed end-to-end. Drop the SDK into Next.js, React Router, TanStack, or a Rust service. Same API everywhere.
01import { NextResponse } from 'next/server';02import { createRouteMatcher, wachtMiddleware } from '@wacht/nextjs/server';03 04const isProtected = createRouteMatcher(['/account(.*)']);05 06export default wachtMiddleware(07 async (auth, req) => {08 if (!isProtected(req)) return NextResponse.next();09 await auth.protect();10 return NextResponse.next();11 },12);
$pnpm add @wacht/nextjsRead the docs→Sign-in, consent, tenancy, account, and onboarding flows ship as drop-in components. Product logic already wired in behind them.
$pnpm add @wacht/nextjsDrop the components in. They already speak to your Wacht backend.10,000 monthly active users on the house. SAML SSO included. No credit card to start.
Real production limits, not a 14-day trial. Bring a side project, ship a launch, run a closed beta. No credit card.
Beta quotas. May change before GA. Existing usage will be honored.
We ditched Clerk for Wacht and it turned out to be one of the best decisions we made. It is simple, comprehensive, flexible where it matters, and the DX is exactly what we wanted while building InboxDoctor.
Start with a solid account and access layer, then grow into developer auth, delivery flows, and runtime automation on the same foundation.