XWMS is a software company that offers secure login APIs and also builds custom web applications for businesses. Whether you need a secure authentication layer or a complete software system, XWMS delivers.

There are two main ways to use XWMS. The first is by creating a paid account to use the XWMS login API. The second is by contacting us directly through the contact page if you need a full application built.

Although I work with many people in a broader ecosystem, the XWMS project itself is maintained and built by one person.

The XWMS login API allows users to securely authenticate into your application through XWMS. It uses a custom hashing method that ensures only the XWMS system can decrypt the database — it’s like a private language only XWMS can understand.

No, you cannot directly manage users from the XWMS dashboard. You can request access to user data or become verified via XWMS to bypass consent. However, you can manage users inside your own app after they’ve logged in.

The API itself is not open source, but the official integration package is. You can find it here: https://github.com/X-WMS/xwms-docs

The API is written in PHP, but it is fully accessible from any language or environment that supports HTTP requests.

Currently, you cannot directly integrate mobile apps with XWMS. However, you can use web login as a workaround.

XWMS supports email and password, 2FA, OAuth, backup codes, second email, passkeys, and more.

Pricing is monthly and depends on the features included in your selected plan.

If you have a paid account, you get access to 24/7 live chat support. Free users can submit tickets via the contact page at https://xwms.nl/contact.

It depends on the project size. For an average project, we can deliver a full application in as little as two weeks. Larger, complex projects may take several months.

Yes documentation is currently available at https://docs.xwms.nl.

At the moment, there is no dedicated patch notes page, but that may be introduced in the future.

You can follow a step-by-step tutorial at https://docs.xwms.nl/client/developers. It explains how to register a client, request tokens, and authenticate users securely via OAuth.

Yes, the docs include integration guides for Laravel, JavaScript, and PHP. These examples help you implement OAuth login flows quickly in your own apps.

The Partner Dashboard is where you create and manage OAuth clients. It allows you to configure scopes, domains, and secrets securely.

Yes, 2FA (two-factor authentication) is required to access certain partner and developer tools. You can set it up in your account settings.

Yes, during client setup you can specify allowed redirect domains to ensure only your application can initiate logins.

XWMS will flag suspicious logins and may prompt for additional verification. This protects users against account takeovers.

Yes, login history is available under each user’s account. Failed and successful attempts are timestamped for security auditing.

In the Partner Dashboard, you can rotate API client secrets anytime. Make sure to update your app to avoid connection errors.

Scopes include basic identity, email access, session control, and more. You can request multiple scopes based on your app’s needs.

Yes, the docs provide example endpoints and test data to simulate the full flow in a development environment.

We keep your personal information only as long as necessary to fulfill the purposes outlined in our Privacy Notice, or as required by law. When no longer needed, we delete or anonymize it, or securely store it if deletion is temporarily impossible.

We use reasonable technical and organizational security measures to protect your personal information, but no system can be 100% secure. Transmission of data is at your own risk, so access services in a secure environment.

Depending on your location (such as the EEA, UK, Canada, or certain US states), you may have rights to access, correct, delete, restrict, or object to the processing of your personal information. You can also withdraw consent and opt out of marketing communications.

You can withdraw your consent at any time by contacting us through the provided contact details or updating your preferences in your account settings. This will not affect processing done before withdrawal.

Yes, you can unsubscribe anytime by clicking the unsubscribe link in emails, replying “STOP” or “UNSUBSCRIBE” to SMS, disabling notifications in settings, or contacting us directly.

You can log in to your account to update your information or contact support to request account deletion. Deleted accounts become inactive and not visible, but some data may remain for legal or fraud prevention reasons.

Currently, we do not respond to DNT signals as there is no universal standard. If such a standard is adopted, we will update our Privacy Notice accordingly.

Yes. Residents of certain states have rights such as accessing, correcting, deleting their data, and opting out of sale or targeted advertising. These rights vary by state and may have limitations.

We collect identifiers (name, email), personal info, demographic data, commercial information, biometric info, browsing data, geolocation, audio/video data, professional info, and education info where applicable.

We may share personal information with service providers under contract. We have sold or shared certain categories of personal info with advertising and affiliate marketing partners in the past 12 months.

Yes, but we require valid proof that the agent is authorized to act on your behalf before processing such requests.

We use personal information from your request to verify your identity. If needed, we may ask for additional information to ensure security and prevent fraud.

You can appeal our decision by contacting us via email. If the appeal is denied, you may file a complaint with your state attorney general.

We may offer financial incentives, such as loyalty programs or discounts, in exchange for certain data. We will explain the value and terms of any such offer before participation.

California residents can request once per year information about personal data disclosed to third parties for direct marketing. Requests must be submitted in writing using provided contact info.

Yes. For example, Australia, New Zealand, and South Africa have specific laws allowing you to access, correct your data, and file complaints with their data protection authorities.

We update the notice as needed to comply with laws. Updates are marked with a revised date and major changes will be communicated via notices or direct contact.

Yes, depending on your location’s laws, you may request access, correction, or deletion. Complete deletion of data is not possible, but you can delete your account, making it inaccessible and effectively erased.

Your account becomes inactive and no longer visible. Although the data is not technically deleted, it is treated as if it were, and cannot be accessed.

No, we do not collect biometric information, audio, electronic, sensory data, professional or employment-related info, education info, or draw inferences from personal data.