Does WordAuth require names or emails to verify users?

No. Verification can be performed with minimal context, including obfuscated or hashed user identifiers.

Are word-pair codes stored in cleartext?

No. Code values are hashed at rest and verified using one-way comparison methods.

What transport security does WordAuth use?

API communication is encrypted in transit using TLS 1.3.

WordAuth - Memorable Two-Word Verification Codes

When you choose an authentication provider, you are not just buying a feature. You are delegating trust. At WordAuth, we believe the safest way to handle sensitive user context is to minimize what we collect and aggressively reduce retention.

As WordAuth launches, this manifesto outlines how we treat privacy, why we enforce zero-knowledge patterns, and what developers can verify in practice.

1. Principle of Least Privilege

The API is designed to operate with minimal user context. You do not need to transmit names, emails, or high-sensitivity profile fields to request or verify a code.

Anonymous verification is supported through obfuscated or hashed identifiers.
Verification state is ephemeral and purged once code use is complete.
WordAuth focuses on verification workflows, not profile enrichment.

2. No Cleartext, No Exceptions

Human-readable codes receive password-grade handling. Generated pairs are never persisted as cleartext in durable storage.

Hashed at rest: code material is stored in one-way hashed form.
Comparison uses established password-hash verification patterns.
Database snapshots do not expose plaintext word pairs.

3. Zero-Knowledge Architecture

Our target model is to avoid long-lived linkage between generated code content and delivery metadata.

All API traffic is encrypted in transit with TLS 1.3.
Code generation and delivery telemetry are isolated by design.
Metadata is retained only as long as operationally required.

4. Production-Grade Safeguards

Memorability must not reduce operational resistance to abuse. WordAuth ships with layered controls active by default.

Brute-force protection with abuse pattern detection and rapid throttling.
Rate limits at API key, IP, and user identifier levels.
Automatic expiry via short TTL windows (5 minutes by default).

5. Compliance-Ready Foundations

Privacy by design supports compliance outcomes. Data minimization reduces exposure and simplifies obligations across regulated environments.

Lower PII collection helps align with GDPR-style minimization principles.
Internal security and infrastructure reviews are performed monthly.
Security posture is documented with developer-facing transparency.

Our Promise to Developers

WordAuth is built for teams that want measurable security controls without opaque platform behavior. We commit to transparent docs, clear pricing, and explicit security practices. This is not just a better OTP format. It is a more respectful trust boundary for your application and your users.

Security-conscious teams can further reduce exposure by sending a hashed user identifier instead of an email or phone as their primary verification reference where applicable.

The WordAuth Manifesto: Our Commitment to Privacy and Zero-Knowledge Security