We’re thrilled to introduce WRNexus — the identity, workspaces, and billing shell we wish had existed the last six times we shipped a SaaS product.
Why another auth product?
Every product team eventually writes the same code: signup, login, password reset, MFA, OAuth, workspaces, invites, billing, an audit log, and a staff console. It is rarely the differentiated part of the product, but it has to be right, every time, forever.
WRNexus is that stack — already written, already tested, already audited. You bring the product. We bring the parts that don’t win you a customer but absolutely lose you one if they break.
What ships on day one
- Argon2id passwords with optional HIBP k-anonymity checks
- WebAuthn passkeys, TOTP authenticators, and one-tap recovery codes
- Magic links with single-use, 15-minute TTL tokens
- OAuth for Google and GitHub (PKCE end-to-end)
- Workspaces with role-based invites and team membership
- API keys that are hashed at rest and shown exactly once
- Stripe billing with Customer Portal and webhook signature verification
- Staff console with impersonation, suspension, and an audit trail
Built for the way you actually deploy
The reference deployment is one VM running docker compose. No bespoke
orchestration, no kubectl wizardry, no separate microservices per feature.
The whole API is a single Rust + actix-web service with embedded sqlx
migrations and a Redis-backed session store.
If you outgrow a single VM, the same images work on Fly.io, Render, or any other container host. We do not ship a hidden manifest. The compose file is the production recipe.
What’s next
Stay tuned for deeper dives into our WebAuthn registration flow, our audit-log schema, and the design of the impersonation cookie — all coming soon to this very blog.