I have made the Toqen.app mobile application publicly available.
This is a deliberate decision to move toward transparency and independent technical review.
The mobile client is the part of the system that users directly interact with during authorization.
It is now open for inspection so anyone can verify how access is processed on the device.
What is Toqen
Toqen is an access-first authentication infrastructure designed for secure, real-time authorization.
Each access request is:
- created in real time
- explicitly approved by the user
- cryptographically signed by the device
- verified by the backend
The mobile app acts as a secure execution layer for these decisions.
What the open source mobile app actually does
The mobile client has a very narrow and well-defined responsibility:
- scan or receive an access request
- fetch request context from the backend
- show the user what is being requested
- collect explicit approval or denial
- sign a short-lived challenge using a device key
- send the signed result back for verification
The app does not grant access on its own.
All final decisions are verified by the server.
What data the app collects
This is the key point.
You can verify it directly in the code.
The mobile app stores only what is strictly required to perform cryptographic authorization:
-
device_private_key(generated on device, never leaves it) -
device_id -
app_instance_id
That is the full set of stored sensitive data.
There is no storage of:
- passwords
- session tokens
- refresh tokens
- reusable credentials
- backend secrets
Sensitive data is stored using OS-level secure storage (Keychain / Keystore).
What is NOT inside the system
Toqen is built around strict data minimization.
- QR codes do not contain secrets
- authorization requests are short-lived
- requests are single-use
- no reusable tokens exist in the flow
Even if a QR code is intercepted, it cannot be used to gain access.
Authorization always requires:
- user confirmation
- device signature
- backend verification
How authorization actually works
All flows follow the same pattern:
request → context → user decision → signature → verification → result
This guarantees:
- no silent approvals
- no implicit trust
- no background authorization
Every access is intentional and verifiable.
Security model (short version)
The system assumes a hostile environment:
- network is untrusted
- QR codes can be intercepted
- requests can be replayed
Security is achieved through:
- device-bound cryptographic keys
- challenge-response authorization
- short-lived requests
- server-side verification
Private keys never leave the device.
The backend never has access to them.
Why only the mobile app is open
The mobile client is the most critical part to verify from a trust perspective.
By open-sourcing it, I allow:
- independent security review
- verification of data handling
- inspection of cryptographic flows
- validation of what is and is not collected
The backend remains closed, but its behavior is fully defined through:
- API contracts
- documented flows
- security model
- threat model
This keeps the system verifiable without exposing operational infrastructure.
Build transparency
The build and release process is also documented.
Each build includes:
- version
- commit hash
- tag
- CI reference
This allows anyone to trace how a distributed app was produced.
What this means
You do not have to rely on claims.
You can:
- inspect the code
- verify storage behavior
- review cryptographic operations
- confirm data handling
The mobile app is fully transparent by design.
Repository
https://github.com/toqenapp/mobile-react-native
Product access:
- iOS (App Store): search for “toqen.app”
- Android (closed testing): https://forms.gle/f9FcbHyHJiajmFWV7
Typical use cases include:
- SaaS platforms
- gated digital content
- memberships
- online education environments
- event access systems
- other products requiring time-bound and policy-defined authorization
Building continues.
Top comments (1)
One thing I am still trying to understand:
Does open-sourcing something like the auth layer actually increase trust, or do most people decide based on other signals anyway?
Would be interesting to hear how you approach this.