# OpenAuth — Universal Auth Server You Can Self-Host > Dax Raad's team's centralized auth server you self-host. Multi-tenant, OAuth/password/SAML/passkey. Auth0/Clerk replacement with full control. ## Install Save as a script file and run: ## Quick Use 1. `npm install @openauthjs/openauth` 2. Author `issuer({providers, success})` and deploy to Lambda / Vercel Functions 3. Client app uses `createClient().authorize(...)` for OAuth flow --- ## Intro OpenAuth is a centralized auth server from Dax Raad's team (SST / Toolbeam) — self-host one OpenAuth server that issues OAuth-compatible tokens to all your apps, no matter what auth method (password, OAuth provider, SAML, passkey, magic link). Standards-based, multi-tenant, zero-vendor-lock-in alternative to Auth0/Clerk. Best for: side projects scaling to multiple apps, teams burned by Auth0 pricing tiers, anyone wanting full control over the user database. Works with: any web framework — TS, Python, Go, Rust, PHP. Setup time: 15 minutes. --- ### Server (TypeScript example) ```typescript import { issuer } from "@openauthjs/openauth"; import { PasswordProvider } from "@openauthjs/openauth/provider/password"; import { GithubProvider } from "@openauthjs/openauth/provider/github"; import { CodeUI } from "@openauthjs/openauth/ui/code"; import { PasswordUI } from "@openauthjs/openauth/ui/password"; const auth = issuer({ storage: { type: "dynamo", table: "openauth" }, providers: { password: PasswordProvider(PasswordUI({ /* email + password UI */ })), github: GithubProvider({ clientID: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET!, scopes: ["user:email"], }), }, success: async (ctx, value) => { return ctx.subject("user", { id: value.email || value.clientID + ":" + value.id, }); }, }); export const handler = auth.handler; // mount on AWS Lambda / Vercel Functions ``` ### Client app (any framework) ```typescript import { createClient } from "@openauthjs/openauth/client"; const client = createClient({ clientID: "my-app", issuer: "https://auth.example.com", }); // Redirect to login window.location.href = await client.authorize( "https://my-app.com/callback", "code" ); // On callback const tokens = await client.exchange(code, "https://my-app.com/callback"); // tokens.access, tokens.refresh — standard OAuth, use anywhere ``` ### Why OpenAuth vs Auth0/Clerk | Need | OpenAuth | Auth0 | Clerk | |---|---|---|---| | Self-host | Yes | No (Private Cloud add-on $$$) | No | | Pricing | Free (your infra) | $-$$$$ per MAU | Per MAU | | Multi-tenant | Built-in | Yes | Yes | | Standards-based | OAuth/OIDC native | OAuth/OIDC | Proprietary + OIDC | | Storage | Postgres / DynamoDB / Cloudflare KV | Theirs | Theirs | | Lock-in | None (your DB) | Vendor | Vendor | ### Production checklist - HTTPS only (issuer redirects break on HTTP) - Rotate signing keys every 90 days (`auth.rotate()`) - Set short-lived access tokens (15 min) + long refresh (30 days) - Use Cloudflare KV or DynamoDB for global edge latency --- ### FAQ **Q: Is it production-ready?** A: Yes — Toolbeam runs it in production, several Anthropic-adjacent projects use it. Still v1.x so breaking changes possible. Pin a version and test upgrades. **Q: Storage options?** A: Built-in adapters for DynamoDB (recommended for AWS-native), Cloudflare KV (edge-friendly), Postgres (self-host shops), and in-memory for tests. Custom adapter is a ~50-line file. **Q: How does it compare to Lucia / NextAuth?** A: Lucia/NextAuth are libraries embedded in your app. OpenAuth is a separate centralized server — preferred when you have 3+ apps sharing users. For one app, NextAuth is simpler. For an org with many apps, OpenAuth is the cleaner architecture. --- ## Source & Thanks > Built by [Toolbeam](https://github.com/toolbeam) (Dax Raad's team). Licensed under MIT. > > [toolbeam/openauth](https://github.com/toolbeam/openauth) — ⭐ 2,800+ --- ## 快速使用 1. `npm install @openauthjs/openauth` 2. 写 `issuer({providers, success})` 部到 Lambda / Vercel Functions 3. 客户端 app 用 `createClient().authorize(...)` 走 OAuth 流 --- ## 简介 OpenAuth 是 Dax Raad 团队(SST / Toolbeam)做的中心化鉴权服务器 —— 自托管一台 OpenAuth server,给你所有应用签发 OAuth 兼容 token,无论用什么鉴权方式(密码、OAuth provider、SAML、passkey、magic link)。基于标准、多租户、零厂商锁定的 Auth0/Clerk 替代。适合扩展到多 app 的副业、被 Auth0 套餐价烫到的团队、想完全掌控用户库的人。任何 web 框架都行 —— TS / Python / Go / Rust / PHP。装机时间 15 分钟。 --- ### 服务端(TypeScript 示例) ```typescript import { issuer } from "@openauthjs/openauth"; import { PasswordProvider } from "@openauthjs/openauth/provider/password"; import { GithubProvider } from "@openauthjs/openauth/provider/github"; import { CodeUI } from "@openauthjs/openauth/ui/code"; import { PasswordUI } from "@openauthjs/openauth/ui/password"; const auth = issuer({ storage: { type: "dynamo", table: "openauth" }, providers: { password: PasswordProvider(PasswordUI({ /* 邮箱 + 密码 UI */ })), github: GithubProvider({ clientID: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET!, scopes: ["user:email"], }), }, success: async (ctx, value) => { return ctx.subject("user", { id: value.email || value.clientID + ":" + value.id, }); }, }); export const handler = auth.handler; // 挂在 AWS Lambda / Vercel Functions ``` ### 客户端(任何框架) ```typescript import { createClient } from "@openauthjs/openauth/client"; const client = createClient({ clientID: "my-app", issuer: "https://auth.example.com", }); // 跳转到登录 window.location.href = await client.authorize( "https://my-app.com/callback", "code" ); // callback 里 const tokens = await client.exchange(code, "https://my-app.com/callback"); // tokens.access、tokens.refresh —— 标准 OAuth,到处可用 ``` ### 为啥用 OpenAuth 不用 Auth0/Clerk | 需求 | OpenAuth | Auth0 | Clerk | |---|---|---|---| | 自托管 | 是 | 不(Private Cloud 加钱 $$$)| 不 | | 价格 | 免费(你的基建)| 按 MAU 计费 $-$$$$ | 按 MAU | | 多租户 | 内置 | 是 | 是 | | 基于标准 | OAuth/OIDC 原生 | OAuth/OIDC | 私有 + OIDC | | 存储 | Postgres / DynamoDB / Cloudflare KV | 他家 | 他家 | | 锁定 | 无(你的 DB)| 厂商 | 厂商 | ### 生产清单 - 仅 HTTPS(HTTP 上 issuer 跳转炸) - 每 90 天轮换签名密钥(`auth.rotate()`) - 短 access token(15 分钟)+ 长 refresh(30 天) - Cloudflare KV 或 DynamoDB 拿全球边缘延迟 --- ### FAQ **Q: 生产可用吗?** A: 可以 —— Toolbeam 自己在生产跑,几个 Anthropic 周边项目也在用。还在 v1.x,可能有破坏性变更。锁定版本测升级。 **Q: 存储选项?** A: 内置适配器:DynamoDB(AWS 原生推荐)/ Cloudflare KV(边缘友好)/ Postgres(自托管店)/ 内存(测试)。自定义适配器约 50 行文件。 **Q: 跟 Lucia / NextAuth 比?** A: Lucia/NextAuth 是嵌进 app 的库。OpenAuth 是独立中心化服务器 —— 3+ 个 app 共用户时首选。一个 app 用 NextAuth 简单。多 app 组织 OpenAuth 架构更干净。 --- ## 来源与感谢 > Built by [Toolbeam](https://github.com/toolbeam) (Dax Raad's team). Licensed under MIT. > > [toolbeam/openauth](https://github.com/toolbeam/openauth) — ⭐ 2,800+ --- Source: https://tokrepo.com/en/workflows/openauth-universal-auth-server-you-can-self-host Author: SST