Identity that
never asks for a password.
Wenme is a passwordless identity platform built for banks and regulated enterprises. Passkeys, SAML, LDAP, OAuth 2.1, FAPI 2.0 — running on infrastructure we own end-to-end, from AS64005 up to the consent screen.
⌐ proofs · last verified 2026-04-13
- Critical CVEs
- 0exploitable · last scan 2026-04-13
- Authentication
- Passwordless6 methods · zero password storage
- JWT signing
- Ed25519EdDSA · 32-byte keys · since Mar 2026
- Network
- AS64005own ASN · BGP-announced · Dot Internet NOC
- Stack
- Go · PostgreSQL 18.3single-binary backend · tuned config
01 / 05 Standards
Twelve specifications,
implemented and enforced.
Not a checklist. Each item below is wired into request-handling code that runs in production. Read the source. Audit the logs.
FIDO2 / WebAuthn
Platform + cross-device passkeys. Hybrid transport for QR-code login.
OAuth 2.1
Mandatory PKCE (S256). No implicit grant, no password grant, no exceptions.
SAML 2.0 IdP
SP-initiated SSO. RSA-SHA256 signed assertions. Single-Logout supported.
LDAP / AD
Auto-sync, group-to-role mapping, STARTTLS and LDAPS.
FAPI 2.0
JARM, mTLS, DPoP (RFC 9449), PAR (RFC 9126). Bank-tier flows.
SCIM 2.0
User lifecycle from Okta, Azure AD, JumpCloud.
GDPR
Data export, account deletion, breach-notification workflow.
NIST Zero Trust
Three-tier Docker network. Idle 30 min / absolute 7-day session controls.
SOC 2
Type II controls in place. Formal audit not yet contracted.
ISO 27001
ISMS policies documented. Certification pending.
PCI DSS
Encryption at rest and in transit. Scope-limited.
HIPAA
Technical safeguards in place. BAA available on request.
“Most identity vendors rent a VPC from someone who rents a rack from someone else. We rent nothing.”
02 / 05 Infrastructure
We own the network.
Bottom of the stack to top.
Wenme runs on KaritKarma's own ASN, in our own facilities — primary site in the Dot Internet NOC, Dhaka; DR in FRCBD, Sirajganj. No hyperscaler in the path between you and your user's ID token.
Own ASN. BGP-announced from two sites. No third-party routing.
Dhaka, Bangladesh. Carrier-neutral, on-net peering.
Geographic separation. Independent power and uplinks.
Exploitable, as of 2026-04-13. Ubuntu Pro, dropped caps, encrypted at rest.
02·5 / 05 Why Wenme
Seven things
our competitors can’t say.
Identity is a crowded category. Most of the differentiation is marketing. The differentiation that holds up under a bank’s technical review is below — each item verifiable, each one specific, none of them bought from a hyperscaler.
No password code path
Not “passwordless-supports-passwords”. The column was dropped, the legacy handlers were deleted in March 2026, the breach-notification flow tied to hash leaks is gone. Phishing, credential stuffing, password spraying, offline cracking — entire attack categories eliminated, not mitigated.
Zero exploitable critical CVEs
Across six production containers, the host OS, the Go backend, and both Next.js apps. Verified 2026-04-13 with trivy and govulncheck. Most identity vendors don’t publish this number because the answer would embarrass them.
Crypto agility, honestly described
Ed25519 today, with JWKS alg/kid hooks for ML-DSA when the Go stdlib lands it. Symmetric primitives (AES-256-GCM, SHA-256) already meet the post-quantum bar. We do not call Ed25519 quantum-safe — because it isn’t.
XML-DSig SAML, properly verified
Inbound SP signatures are cryptographically verified against the registered certificate, not presence-checked. Exclusive C14N, signs both Response and Assertion, RSA-SHA1 hard-rejected as a downgrade. Shipped 2026-04-13 — most SAML implementations don’t do this.
Our own ASN, our own racks
AS64005, registered to KaritKarma directly with APNIC. Prefix 103.139.235.0/24 with valid RPKI ROA. Your network team can verify the origin on any BGP looking-glass. Not an AWS tenancy in trench coat.
Bangladesh data sovereignty
Production at the Dot Internet NOC in Dhaka. DR site at FRCBD, Sirajganj. Sub-10ms latency to anywhere in BD. Same jurisdiction as your bank — no Schrems II problem, no foreign-government access vector, no cross-border data residency clause to negotiate.
SIEM-ready audit trail
The security_events table records every authentication failure, privilege-escalation attempt, CSRF violation, MFA bypass, session timeout, and LDAP sync error — with severity (CRITICAL / HIGH / MEDIUM / LOW / INFO) and structured JSON for direct ingestion.
03 / 05 Capabilities
What you actually get
when you flip the switch.
Six auth methods, one flow
Passkeys, TOTP, magic links, backup codes, SAML federation, and OAuth — picked dynamically based on what the user's device supports.
Passkey enforcement policy
None, encouraged, or required — configured at the org level, overridable per OAuth app. Banks require. Marketing sites encourage.
Smart device detection
Face ID, Touch ID, Windows Hello, hybrid transport for QR-code cross-device login. Old desktops fall back to magic links.
White-label, per OAuth app
14 customisable fields — logo, colours, fonts, favicon, footer, legal links. Org→app inheritance with overrides.
21 webhook event types
HMAC-SHA256 signed payloads. Three-attempt exponential retry. Per-org delivery log with replay.
SCIM 2.0 user provisioning
Connect Okta or Azure AD as the source of truth. Wenme syncs users in, federates passkeys out.
04 / 05 Cryptography
Modern primitives.
Boring choices.
Nothing here is novel. That's the point. Every primitive below has years of cryptanalysis behind it, and every implementation lives in code we wrote ourselves.
32-byte keys, 64-byte signatures. Migrated off RS256, March 2026.
Sender-constrained access tokens. A stolen bearer token is unusable.
Authenticated encryption. Per-tenant key rotation, no key reuse.
No password hashes — there are no passwords. Used for backup codes and PII.
Cloudflare Full (Strict) on the edge. Direct TLS to identity.wenme.net for backends.
05 / 05 Integrate
One OpenID Connect
provider away.
If your stack speaks OAuth 2.1 or SAML 2.0 — and most do — Wenme drops in. The example here works with NextAuth.js, Auth.js, or any compliant OIDC client. PKCE is mandatory; everything else is a default you'll never have to think about.
export const wenme = {
id: "wenme",
name: "Wenme",
type: "oauth",
wellKnown: "https://wenme.net/.well-known/openid-configuration",
authorization: { params: { scope: "openid profile email" } },
clientId: process.env.WENME_CLIENT_ID,
clientSecret: process.env.WENME_CLIENT_SECRET,
idToken: true,
}Get started
Ship identity
in the next sprint.
On-prem, hosted, or hybrid. Per-user-per-month or perpetual license. We work with the procurement model your bank already has, and the deployment model your security team already trusts.