Show HN: Identity Layer for Agents and Autonomous AI
AuthSec is a unified Go service for the complete identity lifecycle, including authentication, MFA, OIDC federation, RBAC, SCIM, client management, external-service credentials, and SPIFFE/SPIRE workload identity, all from a single binary.
Uh oh!
There was an error while loading. Please reload this page.
Notifications You must be signed in to change notification settings
Fork 6
Star 14
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
98 Commits
98 Commits
.github
.github
cmd
cmd
config
config
controllers
controllers
database
database
handlers
handlers
internal
internal
middlewares
middlewares
migrations
migrations
models
models
monitoring
monitoring
repository
repository
routes
routes
scripts
scripts
services
services
tests
tests
utils
utils
.env
.env
.env.example
.env.example
.golangci.yml
.golangci.yml
API_DOCS.md
API_DOCS.md
CLAUDE.md
CLAUDE.md
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
CONTRIBUTING.md
Dockerfile
Dockerfile
Jenkinsfile
Jenkinsfile
LICENSE
LICENSE
README.md
README.md
go.mod
go.mod
go.sum
go.sum
Repository files navigation
AuthSec is a unified Go service for the complete identity lifecycle: authentication, MFA, OIDC federation, RBAC, SCIM provisioning, client management, external-service credentials, and SPIFFE/SPIRE workload identity — all served from a single binary.
Table of Contents
Architecture Overview
Modules
Quick Start
Environment Variables
API Route Map
Core Auth & User Flow (/authsec/uflow)
WebAuthn / Passkeys (/authsec/webauthn)
Client Management (/authsec/clientms)
Hydra Manager (/authsec/hmgr)
OIDC Config Manager (/authsec/oocmgr)
Auth Manager (/authsec/authmgr)
External Services (/authsec/exsvc)
SPIRE Headless (/authsec/spire)
Migration Management (/authsec/migration)
Well-Known Endpoints
Metrics
Authentication & Middleware
Database Configuration
Internal Package Layout
Background Workers
Building & Running
Contributing
Architecture Overview
┌────────────────────────────────────────────────────────────────────┐ │ authsec (port 7468) │ │ │ │ /authsec/uflow/* – Auth, RBAC, OIDC federation, SCIM │ │ /authsec/webauthn/* – Passkeys, TOTP, SMS MFA │ │ /authsec/clientms/* – Client lifecycle management │ │ /authsec/hmgr/* – Ory Hydra login/consent, SAML SSO │ │ /authsec/oocmgr/* – OIDC provider config & Hydra sync │ │ /authsec/authmgr/* – JWT verification, RBAC checks │ │ /authsec/exsvc/* – External service registry │ │ /authsec/spire/* – SPIFFE workload identity │ │ /authsec/migration/* – Database migration management │ │ │ │ /.well-known/* – OIDC discovery (RFC 8414 root path) │ │ /metrics – Prometheus metrics │ └────────────────────────────────────────────────────────────────────┘ │ ├── PostgreSQL (master DB — single database for all operations) ├── mt-plugin (optional gRPC — multi-tenant DB management) ├── HashiCorp Vault (optional — secrets, OIDC provider credentials) └── Redis (optional — permission cache, session cache)
All HTTP routes are served from a single gin.Engine. Each module's routes live under its own sub-prefix so paths are globally unique.
authsec is a single-tenant service by default. All operations use the master PostgreSQL database. Multi-tenant support requires running the mt-plugin gRPC microservice and setting MT_PLUGIN_GRPC_ADDR.
Modules
Module Sub-prefix Description
Core Auth & User Flow /authsec/uflow Admin/enduser login, RBAC, OIDC federation, SCIM, TOTP, CIBA, voice auth
WebAuthn / Passkeys /authsec/webauthn WebAuthn/FIDO2 passkeys, TOTP setup, SMS MFA
Client Management /authsec/clientms Hydra client lifecycle management
Hydra Manager /authsec/hmgr Ory Hydra login/consent, SAML SSO, token exchange
OIDC Config Manager /authsec/oocmgr OIDC provider config, Hydra client sync, SAML providers
Auth Manager /authsec/authmgr JWT verify/issue, RBAC permission checks, group management
External Services /authsec/exsvc External service registry with Vault-backed credentials
SPIRE Headless /authsec/spire SPIFFE/SPIRE workload identity, OIDC token exchange, cloud federation (AWS/Azure/GCP), RBAC/ABAC policy engine
Migration Management /authsec/migration Database migration management (master DB + per-tenant DB)
Quick Start
Prerequisites
Go 1.25+
PostgreSQL 15+ (master DB)
HashiCorp Vault (optional — recommended for OIDC secrets)
Redis (optional — caching)
mt-plugin (optional — required only for multi-tenant mode)
Run locally
Copy and edit environment variables
cp .env.example .env
Build
go build -o authsec ./cmd/
Run
./authsec
Or with go run:
go run ./cmd/
The server starts on port 7468 by default.
Environment Variables
Required
Variable Description Example
DB_NAME PostgreSQL database name authsec_db
DB_USER Database username authsec
DB_PASSWORD Database password changeme
DB_HOST Database host localhost
DB_PORT Database port 5432
WEBAUTHN_RP_NAME WebAuthn relying party display name AuthSec
WEBAUTHN_RP_ID WebAuthn relying party ID (must match origin's hostname) app.authsec.dev
WEBAUTHN_ORIGIN Allowed WebAuthn origin https://app.authsec.dev
Optional – Core Service
Variable Default Description
PORT 7468 HTTP listen port
GIN_MODE debug Gin run mode (debug / release / test)
ENVIRONMENT development Runtime label used by tenant domain checks (development / production)
DB_SCHEMA public PostgreSQL schema
JWT_SECRET "" Primary JWT signing secret (ext-service routes, SPIFFE delegate)
JWT_DEF_SECRET — Default JWT signing secret (admin / platform tokens)
JWT_SDK_SECRET — SDK JWT signing secret
BASE_URL https://app.authsec.dev Base URL for OIDC callbacks and email links
TENANT_DOMAIN_SUFFIX — Suffix for auto-generated tenant sub-domains
REDIS_URL "" Redis connection URL (e.g. redis://localhost:6379)
ICP_SERVICE_URL http://localhost:7001 ICP/PKI provisioning service
REQUIRE_SERVER_AUTH true Enforce inter-service auth check (false to disable in dev)
SKIP_MIGRATIONS false Set to true to skip master DB migrations at startup
MT_PLUGIN_GRPC_ADDR "" mt-plugin gRPC address (e.g. localhost:7469); leave empty for single-tenant mode
Optional – CORS
Variable Default Description
CORS_ALLOWED_ORIGINS (auto-detect from WEBAUTHN_ORIGIN) Comma-separated allowed origins
CORS_ALLOWED_METHODS GET,POST,PUT,PATCH,DELETE,OPTIONS Allowed HTTP methods
CORS_ALLOWED_HEADERS Origin,Content-Type,Authorization,… Allowed request headers
Optional – Encryption Keys
Variable Description
TOTP_ENCRYPTION_KEY 64-hex-char AES-256 key for encrypting TOTP secrets at rest (required in production)
SYNC_CONFIG_ENCRYPTION_KEY 64-hex-char AES-256 key for encrypting AD/Entra sync configurations at rest
Optional – Twilio (SMS MFA / Voice)
Variable Description
TWILIO_ACCOUNT_SID Twilio account SID (e.g. ACxxxxxxxx)
TWILIO_AUTH_TOKEN Twilio auth token
TWILIO_FROM_NUMBER Sender phone number for SMS OTPs (e.g. +10000000000)
Optional – External Integrations
Variable Description
VAULT_ADDR HashiCorp Vault address (default: http://localhost:8200)
VAULT_TOKEN Vault root/service token
HYDRA_ADMIN_URL Ory Hydra admin API (default: http://localhost:4445)
HYDRA_PUBLIC_URL Ory Hydra public API (default: http://localhost:4444)
REACT_APP_URL Frontend app URL for redirects
IDENTITY_PROVIDER_URL Identity provider base URL
SMTP_HOST / SMTP_PORT / SMTP_USER / SMTP_PASSWORD SMTP for email notifications
GOOGLE_CLIENT_SECRET Google OIDC client secret (fallback if Vault unavailable)
GITHUB_CLIENT_SECRET GitHub OIDC client secret
MICROSOFT_CLIENT_SECRET Microsoft OIDC client secret
HUBSPOT_ACCESS_TOKEN HubSpot CRM integration token
Optional – OIDC Token Validation
Variable Description
AUTH_EXPECT_ISS Expected iss claim when validating incoming OIDC tokens (empty = skip)
AUTH_EXPECT_AUD Expected aud claim when validating incoming OIDC tokens (empty = skip)
Optional – SPIFFE / SVID OIDC
Required only when SPIFFE workload identity / delegate endpoints are used.
Variable Description
SPIFFE_OIDC_ISSUER Issuer URL embedded in SPIFFE OIDC tokens
SPIFFE_JWKS_KEY_ID Key ID used in the JWKS endpoint
SPIFFE_RSA_PRIVATE_KEY_B64 Base64-encoded PEM RSA private key for signing SPIFFE JWTs
SPIFFE_TRUST_DOMAIN SPIFFE trust domain (e.g. spiffe://example.org)
Optional – Okta CIBA
Required only when Okta is used as a CIBA provider.
Variable Description
OKTA_DOMAIN Okta domain (e.g. dev-12345678.okta.com)
OKTA_CLIENT_ID Okta application client ID
OKTA_CLIENT_SECRET Okta application client secret
OKTA_ISSUER Okta issuer URL
OKTA_API_TOKEN Okta API token for admin operations
API Route Map
All application routes are under the /authsec prefix (except OIDC discovery and /metrics).
Core Auth & User Flow (/authsec/uflow)
Health
Method Path Description
GET /authsec/uflow/health Comprehensive health check
GET /authsec/uflow/health/tenant/:tenant_id Single tenant DB health
GET /authsec/uflow/health/tenants All tenant DBs health
Admin Authentication (/authsec/uflow/auth/admin)
Method Path Description
GET /authsec/uflow/auth/admin/challenge Get auth challenge
POST /authsec/uflow/auth/admin/login/precheck Pre-login check
POST /authsec/uflow/auth/admin/login/bootstrap Bootstrap first admin
POST /authsec/uflow/auth/admin/login Admin login
POST /authsec/uflow/auth/admin/login-hybrid Hybrid login
POST /authsec/uflow/auth/admin/register Register admin
POST /authsec/uflow/auth/admin/complete-registration Complete registration
POST /authsec/uflow/auth/admin/forgot-password Initiate password reset
POST /authsec/uflow/auth/admin/forgot-password/verify-otp Verify OTP
POST /authsec/uflow/auth/admin/forgot-password/reset Reset password
End-User Authentication (/authsec/uflow/auth/enduser)
Method Path Description
GET /authsec/uflow/auth/enduser/challenge Get challenge
POST /authsec/uflow/auth/enduser/initiate-registration Start registration
POST /authsec/uflow/auth/enduser/verify-otp Verify OTP + complete registration
POST /authsec/uflow/auth/enduser/login/precheck Pre-login check
POST /authsec/uflow/auth/enduser/webauthn-callback WebAuthn assertion callback
POST /authsec/uflow/auth/enduser/delegate-svid Delegate SPIFFE SVID
Device Authorization Grant – RFC 8628 (/authsec/uflow/auth/device)
Method Path Auth Description
POST /authsec/uflow/auth/device/code Public Device requests code
POST /authsec/uflow/auth/device/token Public Device polls for token
GET /authsec/uflow/auth/device/activate/info Public Get device info for UI
POST /authsec/uflow/auth/device/verify JWT User authorises device
GET /authsec/uflow/activate Public Activation UI page
Voice Authentication (/authsec/uflow/auth/voice)
Method Path Auth Description
POST /authsec/uflow/auth/voice/initiate Public Initiate voice auth
POST /authsec/uflow/auth/voice/verify Public Verify voice OTP
POST /authsec/uflow/auth/voice/token Public Get token with credentials
POST /authsec/uflow/auth/voice/link JWT Link voice assistant
POST /authsec/uflow/auth/voice/unlink JWT Unlink voice assistant
GET /authsec/uflow/auth/voice/links JWT List linked assistants
GET /authsec/uflow/auth/voice/device-pending JWT Get pending device codes
POST /authsec/uflow/auth/voice/device-approve JWT Approve/deny device code
TOTP – Platform (/authsec/uflow/auth/totp)
Method Path Auth Description
POST /authsec/uflow/auth/totp/login Public Login with TOTP
POST /authsec/uflow/auth/totp/device-approve Public Approve device with TOTP
POST /authsec/uflow/auth/totp/register JWT Register TOTP device
POST /authsec/uflow/auth/totp/confirm JWT Confirm TOTP registration
POST /authsec/uflow/auth/totp/verify JWT Verify TOTP code
GET /authsec/uflow/auth/totp/devices JWT List registered devices
POST /authsec/uflow/auth/totp/device/delete JWT Delete TOTP device
POST /authsec/uflow/auth/totp/device/primary JWT Set primary device
POST /authsec/uflow/auth/totp/backup/regenerate JWT Regenerate backup codes
CIBA – Platform (/authsec/uflow/auth/
[truncated for AI cost control]