Identity that
never asks for a password.
Wenme is a passwordless identity platform built for banks and regulated enterprises. Passkeys, SAML, LDAP, OAuth 2.1, FAPI 2.0, running on infrastructure we own end to end, from AS64005 up to the consent screen.
rp.id
wenme.net
alg
EdDSA (-8)
aaguid
resident
credential public key
MCowBQYDK2VwAyEA9rT4k2x8QfvN1pLmQ7sR4uYwZc0aB3dE5fGhJ
assertion flow
zero
passwords stored
Speaks every protocol your bank’s security review will ask about.
Twelve specifications,
implemented and enforced.
Not a checklist. Each item below is wired into request-handling code that runs in production. Read the source. Audit the logs.
FIDO2 / WebAuthn
Platform + cross-device passkeys. Hybrid transport for QR-code login.
OAuth 2.1
Mandatory PKCE (S256). No implicit grant, no password grant, no exceptions.
SAML 2.0 IdP
SP-initiated SSO. RSA-SHA256 signed assertions. Single-Logout supported.
LDAP / AD
Auto-sync, group-to-role mapping, STARTTLS and LDAPS.
FAPI 2.0
JARM, mTLS, DPoP (RFC 9449), PAR (RFC 9126). Bank-tier flows.
SCIM 2.0
User lifecycle from Okta, Azure AD, JumpCloud.
GDPR
Data export, account deletion, breach-notification workflow.
NIST Zero Trust
Three-tier Docker network. Idle 30 min / absolute 7-day session controls.
SOC 2
Type II controls in place. Formal audit not yet contracted.
ISO 27001
ISMS policies documented. Certification pending.
PCI DSS
Encryption at rest and in transit. Scope-limited.
HIPAA
Technical safeguards in place. BAA available on request.
“Most identity vendors rent a VPC from someone who rents a rack from someone else. We rent nothing.”
We own the network.
Bottom of the stack to top.
Wenme runs on KaritKarma’s own ASN, in our own racks. Primary site at ColoUniverse, a carrier-neutral colocation in Dhaka, multi-homed on Dot and Fusion. A second site in Sirajganj is in build-out. No hyperscaler in the path between you and your user’s ID token.
Own ASN. BGP-announced from two sites. No third-party routing.
Mohakhali, Dhaka. Carrier-neutral colocation, multi-homed on Dot and Fusion.
Second site in build-out. Geographic separation, independent power and uplinks.
Exploitable, as of 2026-04-13. Ubuntu Pro, dropped caps, encrypted at rest.
Seven things
our competitors can’t say.
Identity is a crowded category. Most of the differentiation is marketing. The differentiation that holds up under a bank’s technical review is below, each item verifiable, each one specific, none of them bought from a hyperscaler.
No password code path
Not “passwordless-supports-passwords”. The column was dropped, the legacy handlers were deleted in March 2026, the breach-notification flow tied to hash leaks is gone. Phishing, credential stuffing, password spraying, offline cracking, entire attack categories eliminated, not mitigated.
Zero exploitable critical CVEs
Across six production containers, the host OS, the Go backend, and both Next.js apps. Verified 2026-04-13 with trivy and govulncheck. Most identity vendors don’t publish this number because the answer would embarrass them.
Crypto agility, honestly described
Ed25519 today, with JWKS alg/kidhooks for ML-DSA when the Go stdlib lands it. Symmetric primitives (AES-256-GCM, SHA-256) already meet the post-quantum bar. We do not call Ed25519 quantum-safe, because it isn’t.
XML-DSig SAML, properly verified
Inbound SP signatures are cryptographically verified against the registered certificate, not presence-checked. Exclusive C14N, signs both Response and Assertion, RSA-SHA1 hard-rejected as a downgrade. Shipped 2026-04-13, most SAML implementations don’t do this.
Our own ASN, our own racks
AS64005, registered to KaritKarma directly with APNIC. Prefix 103.139.235.0/24 with valid RPKI ROA. Your network team can verify the origin on any BGP looking-glass. Not an AWS tenancy in a trench coat.
Bangladesh data sovereignty
Production at ColoUniverse, Dhaka, with a second site in Sirajganj in build-out. Sub-10ms latency to anywhere in BD. Same jurisdiction as your bank, no Schrems II problem, no foreign-government access vector, no cross-border data residency clause to negotiate.
SIEM-ready audit trail
The security_events table records every authentication failure, privilege-escalation attempt, CSRF violation, MFA bypass, session timeout, and LDAP sync error, with severity (CRITICAL / HIGH / MEDIUM / LOW / INFO) and structured JSON for direct ingestion.
What you actually get
when you flip the switch.
Six auth methods, one adaptive flow
Passkeys, TOTP, magic links, backup codes, SAML federation, and OAuth, picked dynamically from what the user’s device supports. No dead ends, no password fallback.
Passkey enforcement policy
None, encouraged, or required. Set per org, overridable per OAuth app.
Smart device detection
Face ID, Touch ID, Windows Hello, hybrid QR transport for cross-device login. Old desktops fall back to magic links.
White-label, per OAuth app
14 customisable fields. Logo, colours, fonts, favicon, footer, legal links. Org to app inheritance with overrides.
21 webhook event types
HMAC-SHA256 signed payloads. Three-attempt exponential retry. Per-org delivery log with replay.
SCIM 2.0 provisioning
Connect Okta or Azure AD as the source of truth. Wenme syncs users in, federates passkeys out.
SIEM-ready audit trail
Every auth failure, privilege escalation, and MFA bypass logged with severity and structured JSON.
Numbers we’ll
put in the contract.
- Critical CVEs
- 0exploitable · last scan 2026-04-13
- Authentication
- Passwordless6 methods · zero password storage
- JWT signing
- Ed25519EdDSA · 32-byte keys · since Mar 2026
- Network
- AS64005own ASN · BGP-announced · multi-homed Dot + Fusion
- Stack
- Go · PostgreSQL 18.3single-binary backend · tuned config
Modern primitives.
Boring choices.
Nothing here is novel. That’s the point. Every primitive below has years of cryptanalysis behind it, and every implementation lives in code we wrote ourselves.
32-byte keys, 64-byte signatures. Migrated off RS256, March 2026.
Sender-constrained access tokens. A stolen bearer token is unusable.
Authenticated encryption. Per-tenant key rotation, no key reuse.
No password hashes, there are no passwords. Used for backup codes and PII.
Cloudflare Full (Strict) on the edge. Direct TLS to identity.wenme.net for backends.
One OpenID Connect
provider away.
If your stack speaks OAuth 2.1 or SAML 2.0, and most do, Wenme drops in. The example here works with NextAuth.js, Auth.js, or any compliant OIDC client. PKCE is mandatory; everything else is a default you’ll never have to think about.
export const wenme = {
id: "wenme",
name: "Wenme",
type: "oauth",
wellKnown: "https://wenme.net/.well-known/openid-configuration",
authorization: { params: { scope: "openid profile email" } },
clientId: process.env.WENME_CLIENT_ID,
clientSecret: process.env.WENME_CLIENT_SECRET,
idToken: true,
}Ship identity
in the next sprint.
On-prem, hosted, or hybrid. Per-user-per-month or perpetual license. We work with the procurement model your bank already has, and the deployment model your security team already trusts.