Skip to content

Identity infrastructure for modern apps

Self-hosted OAuth2 / OIDC provider built for Docker and cloud architectures. Open source. Up in minutes.

AI-Native Management (MCP)

Manage users, roles, attributes, claim mappers, sessions, and audit logs from Claude, Cursor, or any MCP-compatible AI assistant. 33 tools across 8 domains — no SDK, no HTTP, just natural language. npx @kotauth/mcp to connect.

OAuth2 / OIDC Compliant

Authorization Code + PKCE, Client Credentials, token rotation, introspection, revocation, silent SSO (prompt=none), end-session logout, and OIDC Discovery. Any spec-compliant client library works without modification.

Passwordless Authentication

Passkeys via FIDO2/WebAuthn with biometric or hardware-key sign-in, discoverable credentials, and per-credential replay defense. Magic-link login with same-device cookie binding. Email OTP with find-or-create semantics. Passwordless-only mode removes the password field entirely.

Multi-Tenant with Key Rotation

Isolated user directories, per-tenant RS256 key pairs with admin-initiated rotation and JWT kid headers, independent security policies, and white-label auth pages. One instance, many products.

Backup & Restore

Export entire workspaces as encrypted archives (PBKDF2 600k + AES-256-GCM) via CLI or admin API. Import with schema-version compatibility validation. Portable bkp1 envelope format.

Admin Impersonation

Act as any user for debugging and support. RFC 8693 act claim for audit attribution, dual-session model, and cascade revocation. Full audit trail of all impersonation events.

Security by Default

bcrypt hashing, AES-256-GCM at rest, HIBP breach detection, refresh-token replay detection with family revocation, TOTP replay + lockout protection, passkey sign-counter replay defense, non-root container (UID 10001), strict CSP with SRI, PKCE enforcement, and 75+ HMAC-chained immutable audit event types.

Docker Native & Developer-First

~120 MB image running as non-root with read-only filesystem. Flyway auto-migrations, 6 built-in CLI tools. 45+ REST API endpoints with OpenAPI 3.1 and bundled Swagger UI. RBAC with composite inheritance, i18n, and HMAC-signed webhooks.