Liquid Auth Cloud  ·  Running on the edge  ·  300+ locations  ·  Zero idle cost  ·  No private keys, ever
Liquid Auth Cloud · Live

Identifiable. Verifiable. Passwordless. Peer‑to‑peer. On the cloud edge.

P2P Connect any device to any device with a passkey — then talk directly, e2e encrypted, on Web, Mobile and Desktop.

Liquid Auth Cloud opens a direct, e2e encrypted WebRTC channel between two devices using a FIDO2 passkey bound to your decentralized identity (DID). Your identity is the account — no passwords, no central relay holding your data, zero cost when idle.

01 What is Liquid Auth Cloud

P2P connect securely and e2e encrypted on WebRTC — using identity and FIDO2/WebAuthn authentication.

Liquid Auth Cloud is a cloud‑native fork of the Algorand Foundation's Liquid Auth — the same guarantees, rebuilt from the ground up for the edge.

PasswordsNone
Central relay holding dataNone
Private keys on serverNever
Idle cost$0.00
Edge locations300+
TransportFIDO2 + WebRTC
Peer identityDIDs
Built onWebRTC · WebAuthn · WebSockets
How it works
Session

The service issues a one‑time request id — shown as a QR code and deep link.

Passkey, twice‑signed

Your wallet authenticates with FIDO2/WebAuthn and co‑signs the same challenge with your identity key — both verified together, binding the passkey to you.

Signaling

Both peers join the session's private room over WebSockets and exchange offer, answer and ICE.

Direct channel

An e2e encrypted DataChannel opens device‑to‑device — the relay steps out and never sees your messages or keys.

All on the cloud edge — 300+ locations · no servers to manage · nothing to pay when idle.

Forked from Algorand Foundation's Liquid Auth

Same cryptography, same authentication flows — re‑imagined as a cloud‑native, identity‑first implementation. What changed:

SignalingSocket.IO — a frameworkPlain WebSockets — a protocol, not a framework. Nothing to run but the platform itself.
StateMongoDB + RedisCloud‑native KV + SQL connectors — nothing to host or operate.
RuntimeNestJS on NodeA reusable native‑Workers pattern, built for cloud‑native edges.
Runs onServersWeb browsers, native mobile, desktop, servers and cloud — as the live demo below shows.

Converging, not diverging — the Algorand Foundation dev team has agreed to add a WebSockets fallback to the Liquid Auth client and server. Once it lands, upstream Liquid Auth and Liquid Auth Cloud clients and servers interconnect directly.

02 The ingredients

Eight parts. One private dial tone.

Every piece runs at the edge and does exactly one job. Here's each one, in plain English.

/ 01

The Worker

The edge entry point. Handles every request at the nearest location — routing, CORS, session cookies, WebSocket upgrades.

Completely stateless. All state lives in KV or Durable Objects.
/ 02

FIDO2 identity binding

Passwordless login with passkeys — Touch ID, Face ID, security keys — bound to your identity.

Verifies the passkey attestation and your wallet's identity signature over the same challenge, together. Proves ownership, touches no private key.
/ 03

KV storage

Globally-replicated, read-optimized storage for user records and credential→wallet lookups.

No database to run. No migrations.
/ 04

SessionStore

Keeps sessions in private, HMAC-signed storage with no dashboard, API, or CLI access.

Tampered sessions are rejected on sight. Even a cloud admin can't read or forge them.
/ 05

WalletRoom

The signaling relay — one private room per wallet. Relays the WebRTC handshake and broadcasts auth events.

Hibernates to zero cost when idle. Never sees your data once the peer channel is open.
/ 06

WebRTC peer channel

After the handshake, devices talk directly — end-to-end encrypted.

The relay is fully out of the path.
/ 07

No private keys, ever

All signing happens on your device. The Cloud only verifies signatures.

A hard principle, not a setting.
/ 08

Push notifications & fallback

Firebase Cloud Messaging wakes a backgrounded wallet and delivers messages, approvals and signing requests even when the app is closed.

Doubles as a fallback transport: when the WebRTC link is down, the relay pushes the payload over FCM so nothing is lost — the wallet reconnects and replies over the direct channel.
03 Why the edge

Infrastructure that disappears when you're not using it.

Zero idle cost

The Worker runs only on request; Durable Objects hibernate. Zero traffic, zero dollars.

Global by default

Verification happens at the nearest of 300+ edge locations — close to every user.

No infrastructure

No containers, no database, no Redis, no failover. Deploy is one command.

Private by design

Sessions are HMAC-signed in opaque storage. Private keys never leave the device.

Built for WebRTC

Signaling is ephemeral and maps perfectly to hibernating Durable Objects.

04 The SDK

Drop Liquid Auth Cloud into your app.

The open-source client SDK connects any web, mobile or desktop app to a Liquid Auth service: request a session, prove it with a passkey, and open a direct, end-to-end-encrypted WebRTC channel — in a few lines of JavaScript. TypeScript-first, no framework lock-in.

# install
npm i @goplausible/liquid-client

// connect and open a direct peer channel
import { SignalClient } from "@goplausible/liquid-client/signal";
const client = new SignalClient(origin);
await client.connect(requestId);
View on npm → Source on GitHub →
07 Live demo

Try a real channel, right now.

This is the working Liquid Auth Cloud flow. Start a connection, scan with a Liquid Auth wallet, and a direct encrypted channel opens — multi-session, with its own chat tab each time.

Connect a Wallet

Liquid Auth uses FIDO2 passkeys to bind client wallets to devices, then establishes WebRTC data channels for encrypted peer-to-peer communication — no passwords, no central relay.

How it works:

  1. Click Start Connection below to generate a session
  2. Scan the QR code with your phone, or open the wallet link in a new tab
  3. Authenticate with your passkey (Touch ID, Face ID, or security key)
  4. A peer-to-peer encrypted channel opens instantly
Liquid Auth APK

Sessions

Built on Liquid Auth Cloud

Regent — an agentic wallet, powered by this connection.

Regent is a mobile wallet that lets your AI agent talk to your wallet without ever holding your keys. It runs on Liquid Auth Cloud: the same passwordless, end-to-end-encrypted peer-to-peer channel — WebRTC for the link, passkeys for identity, WebSockets for signaling, and push notifications for reach — connects the agent to the wallet, so every signature stays on your device and behind your biometric.

Explore Regent wallet →