Skip to content
AiTM phishing bypasses MFA in 2 minutes — RSA 2026What you can do
Post-authentication session security

Your auth stops at login. We protect everything after.

Add one script tag. Device keys are auto-generated, every request is signed, and a stolen cookie without the device key is useless.

Get Started Free Read the Docs

One script tag. Zero dependencies. Free forever.

Attack Simulation

What happens when your session cookie is stolen?

AiTM phishing captures session cookies after MFA. See the difference.

Without TokenForge

  1. User logs in with MFA
  2. Attacker runs AiTM proxy
  3. Session cookie captured
  4. Cookie used from attacker’s machine
  5. Valid session — system can’t tell
  6. BREACHED — MFA irrelevant
BREACHED

With TokenForge

  1. User logs in with MFA
  2. Attacker runs AiTM proxy
  3. Session cookie captured
  4. Cookie used from attacker’s machine
  5. No device signature — check fails
  6. 🛡Score: 0/100 — REVOKED
PROTECTED
The Threat

Your Sessions Are Vulnerable

Authentication gets you in the door. But once inside, your session token is the only thing between an attacker and your data.

AiTM Phishing

Adversary-in-the-middle attacks steal session cookies in real-time, bypassing MFA completely.

XSS Token Theft

Cross-site scripting extracts tokens from localStorage and cookies. One XSS and every session is compromised.

Session Hijacking

Stolen cookies work from any device, any location. There is no way to tell a legitimate user from an attacker.

How It Works

Three Steps to Protection

One script tag on the client. One middleware on the server. Full visibility in the dashboard.

Step 1

Add Script Tag

One line in your HTML. The script auto-generates device keys, binds the session, and signs all fetch() requests.

Step 2

Add Server Middleware

One line of middleware verifies every request via the TokenForge API. Express, Next.js, Hono, or Fastify.

Step 3

Monitor

Dashboard shows trust scores, security events, and anomalies in real time. Get alerts on suspicious sessions.

Trust Engine

7-Signal Trust Score

Every request is scored on 7 weighted signals. Configurable thresholds let you allow, challenge, or block.

Signature valid
40pts
IP consistency
15pts
Geo consistency
15pts
Device fingerprint
10pts
Request velocity
10pts
Time pattern
5pts
Nonce freshness
5pts

Configurable Thresholds

Allow

Request proceeds normally

80-100
Step-Up

Challenge with OTP, TOTP, or passkey

40-79
Block

Reject and invalidate session

0-39

Try It: Interactive Trust Score

Signature Valid40pts
IP Consistent15pts
Geo Consistent15pts
Browser Match10pts
Velocity Normal10pts
Time of Day5pts
Nonce Fresh5pts
100/ 100ALLOW

Toggle "Signature Valid" off to see what happens when a stolen cookie is used from another machine.

Integration

Two Lines. That's It.

Drop-in client SDK with automatic request signing. Framework-agnostic server middleware.

app.tsClient
<!-- Add to your HTML <head> — that's it -->
<script
  src="https://tokenforge-api.opensyber.cloud/sdk.js"
  data-api-key="tf_your_api_key"
></script>

<!-- Auto-binds device, auto-signs all fetch() calls -->
server.tsServer
import { tokenForgeMiddleware } from '@opensyber/tokenforge/express';

app.use(tokenForgeMiddleware({
  apiKey: process.env.TOKENFORGE_API_KEY!,
}));

// req.tf.bound, req.tf.trustScore, req.tf.deviceId
Platform Support

Every Platform. One API Key.

Web, mobile, AI agents, microservices — all protected by the same trust scoring engine.

Web

  • Script Tag
  • Express
  • Next.js
  • Hono
  • Fastify

Mobile

  • Swift (iOS)
  • Kotlin (Android)
  • React Native

AI Agents

  • Python
  • Go
  • MCP Server

Zero Code

  • DNS Proxy
Comparison

Why TokenForge?

The only cross-browser, framework-agnostic solution with cryptographic device binding and trust scoring.

FeatureTokenForgeGoogle DBSCSession CookiesDevice Fingerprinting
Cross-browserN/A
Framework agnostic
Cryptographic proof
Trust scoring
Step-up auth
Zero dependenciesN/AN/A
Pricing

Simple, Transparent Pricing

Start free. Scale as your app grows. No hidden fees.

Free

For developers who need to know if their sessions are being hijacked

$0
Start Free
  • 10K verifications/mo
  • 1,000 active sessions
  • Community support
  • Basic trust scoring
  • Single project
Most Popular

Pro

For production apps where one stolen session means one breached user

$49/mo
Subscribe to Pro
  • 50K verifications/mo
  • 5K active sessions
  • Email support
  • Step-up authentication
  • Custom thresholds
  • Webhook alerts
  • 5 projects

Team

For teams where one compromised session could compromise the whole org

$199/mo
Subscribe to Team
  • 250K verifications/mo
  • 25K active sessions
  • Priority support
  • SSO integration
  • Team management
  • Audit logs
  • 20 projects

Enterprise

For organizations with compliance needs

Custom
Contact Sales
  • Unlimited verifications
  • Unlimited sessions
  • Dedicated support + SLA
  • Data residency
  • Custom integrations
  • SOC2 compliance reports
  • Unlimited projects

All plans include cryptographic device binding, trust scoring, and graceful degradation.

Ecosystem

Part of the OpenSyber security ecosystem.

Two layers of protection for modern development teams.

OpenSyber
opensyber.cloud

Runtime security for AI agents. Monitors what Claude Code, Cursor, and Windsurf actually do.

Protects: AI agent actions
Visit OpenSyber →
You are here
TokenForge
tokenforge.opensyber.cloud

Device-bound session security. Makes stolen tokens worthless via ECDSA P-256.

Protects: Developer sessions

Together: from the moment your developer logs in to the last request their AI agent makes.

FAQ

Frequently Asked Questions