What is Truly You?

Secure & compliant authentication with two lines of code

TrulyYou makes FIDO2-based Authentication as simple as two API calls—one on your client, one on your server. The SDK handles the complete credential registration and authentication lifecycle automatically. TrulyYou is completely SCA (Strong Customer Authentication) compliant, making it a drop-in way to authenticate payments globally.

Two Lines of Code

Client-side (web, mobile, any platform):

1const result = await sdk.fetchWithSignature('/api/payment', {)
2  method: 'POST',
3  body: JSON.stringify(({ amount: 100, recipient: 'alice@bank.com' })
4});

Server-side (Node.js, Python, Go, etc.):

1const result = await sdk.verifySignature(req);
2if (!result.verified) return res.status(401).json(({ error: 'Unauthorized' });

That's it. SCA compliance with dynamic linking, biometric verification, and hardware-backed security.

What Happens Behind the Scenes

When you call fetchWithSignature, the SDK automatically:

1. Identifies the user

Checks if a passkey exists for this user across your domain

2. Enrolls if needed

If not recognized, creates a passkey in device TEE and completes KYC enrollment

3. Prompts for biometric

User authorizes with Face ID, Touch ID, or device biometric

4. Signs the payload

Private key signs the exact request (method, URI, body)—dynamic linking to API payload details

5. Sends signed request

Request goes to your server with signature in x-truly-auth header

On the server, verifySignature validates that the request was signed by the enrolled user's private key, from their specific device, and that the signature matches the exact payload (preventing replay or modification attacks).

Works Everywhere

Same SDK on all your platforms: web browser, mobile app, React Native, Flutter. Same server-side verification regardless of where the request originated. The identity is federated—a customer enrolled via your mobile app can authenticate in your web app or AI chat interface immediately. No separate setup required.

Passkeys are stored in device TEE and synced via iCloud Keychain (iOS) or Google Password Manager (Android). If a user deletes your app or switches devices, their credential persists. Recovery is trivial—no password resets, no support tickets.

Cross-Origin, Cross-Platform

Because TrulyYou uses FIDO2 passkeys with proper domain association, the same credential works across any domain or subdomain you control. A user enrolled at checkout.yoursite.com can authenticate at api.yoursite.com or app.yoursite.com without re-enrolling.