How does it authenticate the users?
Depending on whether it is offline or online we have different flows:
Online – authentication is done via email/password to the alloy API generating a session token as indicated previously, this endpoint is guarded with rate limiting and account locking based on number of attempts
Offline – if the user has previously authenticated online we compute a secure one way hash of the user credentials, on subsequent offline logins we prompt the user for email/password (same as online) which is then authenticated against our secure one-way hash to determine access