Closed Alpha
FluxPlay is currently in Closed Alpha. This documentation is a work in progress and may be incomplete or out of date. Features, UI, and APIs are subject to change without notice. For access inquiries, please contact [email protected].
SECURITY & INFRASTRUCTURE
FluxPlay keeps your server secure with enterprise-grade authentication, session management, and attack surface reduction.
Authentication Stack
MFA (Multi-Factor)
TOTP Standard
Time-based One-Time Passwords compatible with Google Authenticator, Authy, and 1Password.
WebAuthn / Passkeys
Hardware-backed security keys (YubiKey) and TouchID/FaceID integration for passwordless login.
Session Protection
Refresh Token Rotation (RTR)
Tokens are single-use. If a token is stolen and reused, the system detects the anomaly and revokes the entire session family.
Device Fingerprinting
Sessions are bound to client signatures (User-Agent, IP Subnet). Mismatches trigger automatic re-authentication.
Infrastructure Defense
Anti-Enumeration
Generic error messages ("Invalid credentials") prevent attackers from guessing valid usernames. Timing attacks are mitigated by constant-time comparison functions.
Rate Limiting
Adaptive throttling on sensitive endpoints (`/auth/login`, `/password/reset`) blocks brute-force attempts. IP bans are automatically issued after 5 consecutive failures.
Family Revocation
Changing a password or enabling MFA triggers a "Family Revocation" event, instantly invalidating all active sessions across all devices.