AI News HubLIVE
In-site rewrite5 min read

Show HN: Identity Layer for Agents and Autonomous AI

AuthSec is a unified Go service for the complete identity lifecycle, including authentication, MFA, OIDC federation, RBAC, SCIM, client management, external-service credentials, and SPIFFE/SPIRE workload identity, all from a single binary.

SourceHacker News AIAuthor: azifali

Uh oh!

There was an error while loading. Please reload this page.

Notifications You must be signed in to change notification settings

Fork 6

Star 14

BranchesTags

Open more actions menu

Folders and files

NameName

Last commit message

Last commit date

Latest commit

History

98 Commits

98 Commits

.github

.github

cmd

cmd

config

config

controllers

controllers

database

database

handlers

handlers

internal

internal

middlewares

middlewares

migrations

migrations

models

models

monitoring

monitoring

repository

repository

routes

routes

scripts

scripts

services

services

tests

tests

utils

utils

.env

.env

.env.example

.env.example

.golangci.yml

.golangci.yml

API_DOCS.md

API_DOCS.md

CLAUDE.md

CLAUDE.md

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

CONTRIBUTING.md

CONTRIBUTING.md

Dockerfile

Dockerfile

Jenkinsfile

Jenkinsfile

LICENSE

LICENSE

README.md

README.md

go.mod

go.mod

go.sum

go.sum

Repository files navigation

AuthSec is a unified Go service for the complete identity lifecycle: authentication, MFA, OIDC federation, RBAC, SCIM provisioning, client management, external-service credentials, and SPIFFE/SPIRE workload identity — all served from a single binary.

Table of Contents

Architecture Overview

Modules

Quick Start

Environment Variables

API Route Map

Core Auth & User Flow (/authsec/uflow)

WebAuthn / Passkeys (/authsec/webauthn)

Client Management (/authsec/clientms)

Hydra Manager (/authsec/hmgr)

OIDC Config Manager (/authsec/oocmgr)

Auth Manager (/authsec/authmgr)

External Services (/authsec/exsvc)

SPIRE Headless (/authsec/spire)

Migration Management (/authsec/migration)

Well-Known Endpoints

Metrics

Authentication & Middleware

Database Configuration

Internal Package Layout

Background Workers

Building & Running

Contributing

Architecture Overview

┌────────────────────────────────────────────────────────────────────┐ │ authsec (port 7468) │ │ │ │ /authsec/uflow/* – Auth, RBAC, OIDC federation, SCIM │ │ /authsec/webauthn/* – Passkeys, TOTP, SMS MFA │ │ /authsec/clientms/* – Client lifecycle management │ │ /authsec/hmgr/* – Ory Hydra login/consent, SAML SSO │ │ /authsec/oocmgr/* – OIDC provider config & Hydra sync │ │ /authsec/authmgr/* – JWT verification, RBAC checks │ │ /authsec/exsvc/* – External service registry │ │ /authsec/spire/* – SPIFFE workload identity │ │ /authsec/migration/* – Database migration management │ │ │ │ /.well-known/* – OIDC discovery (RFC 8414 root path) │ │ /metrics – Prometheus metrics │ └────────────────────────────────────────────────────────────────────┘ │ ├── PostgreSQL (master DB — single database for all operations) ├── mt-plugin (optional gRPC — multi-tenant DB management) ├── HashiCorp Vault (optional — secrets, OIDC provider credentials) └── Redis (optional — permission cache, session cache)

All HTTP routes are served from a single gin.Engine. Each module's routes live under its own sub-prefix so paths are globally unique.

authsec is a single-tenant service by default. All operations use the master PostgreSQL database. Multi-tenant support requires running the mt-plugin gRPC microservice and setting MT_PLUGIN_GRPC_ADDR.

Modules

Module Sub-prefix Description

Core Auth & User Flow /authsec/uflow Admin/enduser login, RBAC, OIDC federation, SCIM, TOTP, CIBA, voice auth

WebAuthn / Passkeys /authsec/webauthn WebAuthn/FIDO2 passkeys, TOTP setup, SMS MFA

Client Management /authsec/clientms Hydra client lifecycle management

Hydra Manager /authsec/hmgr Ory Hydra login/consent, SAML SSO, token exchange

OIDC Config Manager /authsec/oocmgr OIDC provider config, Hydra client sync, SAML providers

Auth Manager /authsec/authmgr JWT verify/issue, RBAC permission checks, group management

External Services /authsec/exsvc External service registry with Vault-backed credentials

SPIRE Headless /authsec/spire SPIFFE/SPIRE workload identity, OIDC token exchange, cloud federation (AWS/Azure/GCP), RBAC/ABAC policy engine

Migration Management /authsec/migration Database migration management (master DB + per-tenant DB)

Quick Start

Prerequisites

Go 1.25+

PostgreSQL 15+ (master DB)

HashiCorp Vault (optional — recommended for OIDC secrets)

Redis (optional — caching)

mt-plugin (optional — required only for multi-tenant mode)

Run locally

Copy and edit environment variables

cp .env.example .env

Build

go build -o authsec ./cmd/

Run

./authsec

Or with go run:

go run ./cmd/

The server starts on port 7468 by default.

Environment Variables

Required

Variable Description Example

DB_NAME PostgreSQL database name authsec_db

DB_USER Database username authsec

DB_PASSWORD Database password changeme

DB_HOST Database host localhost

DB_PORT Database port 5432

WEBAUTHN_RP_NAME WebAuthn relying party display name AuthSec

WEBAUTHN_RP_ID WebAuthn relying party ID (must match origin's hostname) app.authsec.dev

WEBAUTHN_ORIGIN Allowed WebAuthn origin https://app.authsec.dev

Optional – Core Service

Variable Default Description

PORT 7468 HTTP listen port

GIN_MODE debug Gin run mode (debug / release / test)

ENVIRONMENT development Runtime label used by tenant domain checks (development / production)

DB_SCHEMA public PostgreSQL schema

JWT_SECRET "" Primary JWT signing secret (ext-service routes, SPIFFE delegate)

JWT_DEF_SECRET — Default JWT signing secret (admin / platform tokens)

JWT_SDK_SECRET — SDK JWT signing secret

BASE_URL https://app.authsec.dev Base URL for OIDC callbacks and email links

TENANT_DOMAIN_SUFFIX — Suffix for auto-generated tenant sub-domains

REDIS_URL "" Redis connection URL (e.g. redis://localhost:6379)

ICP_SERVICE_URL http://localhost:7001 ICP/PKI provisioning service

REQUIRE_SERVER_AUTH true Enforce inter-service auth check (false to disable in dev)

SKIP_MIGRATIONS false Set to true to skip master DB migrations at startup

MT_PLUGIN_GRPC_ADDR "" mt-plugin gRPC address (e.g. localhost:7469); leave empty for single-tenant mode

Optional – CORS

Variable Default Description

CORS_ALLOWED_ORIGINS (auto-detect from WEBAUTHN_ORIGIN) Comma-separated allowed origins

CORS_ALLOWED_METHODS GET,POST,PUT,PATCH,DELETE,OPTIONS Allowed HTTP methods

CORS_ALLOWED_HEADERS Origin,Content-Type,Authorization,… Allowed request headers

Optional – Encryption Keys

Variable Description

TOTP_ENCRYPTION_KEY 64-hex-char AES-256 key for encrypting TOTP secrets at rest (required in production)

SYNC_CONFIG_ENCRYPTION_KEY 64-hex-char AES-256 key for encrypting AD/Entra sync configurations at rest

Optional – Twilio (SMS MFA / Voice)

Variable Description

TWILIO_ACCOUNT_SID Twilio account SID (e.g. ACxxxxxxxx)

TWILIO_AUTH_TOKEN Twilio auth token

TWILIO_FROM_NUMBER Sender phone number for SMS OTPs (e.g. +10000000000)

Optional – External Integrations

Variable Description

VAULT_ADDR HashiCorp Vault address (default: http://localhost:8200)

VAULT_TOKEN Vault root/service token

HYDRA_ADMIN_URL Ory Hydra admin API (default: http://localhost:4445)

HYDRA_PUBLIC_URL Ory Hydra public API (default: http://localhost:4444)

REACT_APP_URL Frontend app URL for redirects

IDENTITY_PROVIDER_URL Identity provider base URL

SMTP_HOST / SMTP_PORT / SMTP_USER / SMTP_PASSWORD SMTP for email notifications

GOOGLE_CLIENT_SECRET Google OIDC client secret (fallback if Vault unavailable)

GITHUB_CLIENT_SECRET GitHub OIDC client secret

MICROSOFT_CLIENT_SECRET Microsoft OIDC client secret

HUBSPOT_ACCESS_TOKEN HubSpot CRM integration token

Optional – OIDC Token Validation

Variable Description

AUTH_EXPECT_ISS Expected iss claim when validating incoming OIDC tokens (empty = skip)

AUTH_EXPECT_AUD Expected aud claim when validating incoming OIDC tokens (empty = skip)

Optional – SPIFFE / SVID OIDC

Required only when SPIFFE workload identity / delegate endpoints are used.

Variable Description

SPIFFE_OIDC_ISSUER Issuer URL embedded in SPIFFE OIDC tokens

SPIFFE_JWKS_KEY_ID Key ID used in the JWKS endpoint

SPIFFE_RSA_PRIVATE_KEY_B64 Base64-encoded PEM RSA private key for signing SPIFFE JWTs

SPIFFE_TRUST_DOMAIN SPIFFE trust domain (e.g. spiffe://example.org)

Optional – Okta CIBA

Required only when Okta is used as a CIBA provider.

Variable Description

OKTA_DOMAIN Okta domain (e.g. dev-12345678.okta.com)

OKTA_CLIENT_ID Okta application client ID

OKTA_CLIENT_SECRET Okta application client secret

OKTA_ISSUER Okta issuer URL

OKTA_API_TOKEN Okta API token for admin operations

API Route Map

All application routes are under the /authsec prefix (except OIDC discovery and /metrics).

Core Auth & User Flow (/authsec/uflow)

Health

Method Path Description

GET /authsec/uflow/health Comprehensive health check

GET /authsec/uflow/health/tenant/:tenant_id Single tenant DB health

GET /authsec/uflow/health/tenants All tenant DBs health

Admin Authentication (/authsec/uflow/auth/admin)

Method Path Description

GET /authsec/uflow/auth/admin/challenge Get auth challenge

POST /authsec/uflow/auth/admin/login/precheck Pre-login check

POST /authsec/uflow/auth/admin/login/bootstrap Bootstrap first admin

POST /authsec/uflow/auth/admin/login Admin login

POST /authsec/uflow/auth/admin/login-hybrid Hybrid login

POST /authsec/uflow/auth/admin/register Register admin

POST /authsec/uflow/auth/admin/complete-registration Complete registration

POST /authsec/uflow/auth/admin/forgot-password Initiate password reset

POST /authsec/uflow/auth/admin/forgot-password/verify-otp Verify OTP

POST /authsec/uflow/auth/admin/forgot-password/reset Reset password

End-User Authentication (/authsec/uflow/auth/enduser)

Method Path Description

GET /authsec/uflow/auth/enduser/challenge Get challenge

POST /authsec/uflow/auth/enduser/initiate-registration Start registration

POST /authsec/uflow/auth/enduser/verify-otp Verify OTP + complete registration

POST /authsec/uflow/auth/enduser/login/precheck Pre-login check

POST /authsec/uflow/auth/enduser/webauthn-callback WebAuthn assertion callback

POST /authsec/uflow/auth/enduser/delegate-svid Delegate SPIFFE SVID

Device Authorization Grant – RFC 8628 (/authsec/uflow/auth/device)

Method Path Auth Description

POST /authsec/uflow/auth/device/code Public Device requests code

POST /authsec/uflow/auth/device/token Public Device polls for token

GET /authsec/uflow/auth/device/activate/info Public Get device info for UI

POST /authsec/uflow/auth/device/verify JWT User authorises device

GET /authsec/uflow/activate Public Activation UI page

Voice Authentication (/authsec/uflow/auth/voice)

Method Path Auth Description

POST /authsec/uflow/auth/voice/initiate Public Initiate voice auth

POST /authsec/uflow/auth/voice/verify Public Verify voice OTP

POST /authsec/uflow/auth/voice/token Public Get token with credentials

POST /authsec/uflow/auth/voice/link JWT Link voice assistant

POST /authsec/uflow/auth/voice/unlink JWT Unlink voice assistant

GET /authsec/uflow/auth/voice/links JWT List linked assistants

GET /authsec/uflow/auth/voice/device-pending JWT Get pending device codes

POST /authsec/uflow/auth/voice/device-approve JWT Approve/deny device code

TOTP – Platform (/authsec/uflow/auth/totp)

Method Path Auth Description

POST /authsec/uflow/auth/totp/login Public Login with TOTP

POST /authsec/uflow/auth/totp/device-approve Public Approve device with TOTP

POST /authsec/uflow/auth/totp/register JWT Register TOTP device

POST /authsec/uflow/auth/totp/confirm JWT Confirm TOTP registration

POST /authsec/uflow/auth/totp/verify JWT Verify TOTP code

GET /authsec/uflow/auth/totp/devices JWT List registered devices

POST /authsec/uflow/auth/totp/device/delete JWT Delete TOTP device

POST /authsec/uflow/auth/totp/device/primary JWT Set primary device

POST /authsec/uflow/auth/totp/backup/regenerate JWT Regenerate backup codes

CIBA – Platform (/authsec/uflow/auth/

[truncated for AI cost control]