Authup

Appearance

Authup

OAuth2 & OpenID Connect identity and access management with multi-realm tenancy and declarative, isomorphic permissions you can share between API, UI, and microservices.

Get Started View on GitHub
Authup

What you get

A complete identity and access toolkit you can deploy as a service or embed as libraries.

Identity & Access

Manage users, clients, robots, roles and permissions through one declarative API. Multi-tenant by design with realms.

OAuth2 & OIDC

Standards-compliant authorization, refresh, password and client-credentials grants with PKCE enforcement for public clients out of the box.

Multi-Realm Tenancy

Isolate users, clients and policies per realm. Mount any controller under /realms/:realmId for nested routing.

Isomorphic Permissions

Serialize policy bindings between server, browser and microservices. The same evaluator runs in API, UI and edge functions.

Identity Brokering

Federate via LDAP and OpenID Connect upstream providers. Map external attributes onto Authup users automatically.

Declarative Provisioning

Seed realms, roles, users and permissions from JSON, YAML or TypeScript files. Idempotent on every startup.

Pick your deployment

Run Authup the way that fits your stack — from a single Docker container to a clustered, externally-backed deployment.

Docker Compose

The fastest way to a working Authup stack — server, UI and database wired up.

  • Single yaml file, two services
  • PostgreSQL / MySQL / Redis ready
  • Reverse-proxy examples included
Read more →

Docker

Run server and client as separate containers behind your existing orchestrator.

  • One image, two commands
  • ENV- or file-based configuration
  • Persistent writable volume
Read more →

Bare Metal

Install on any host that runs Node.js — no container runtime required.

  • Node.js 20+ on Linux / macOS / Windows
  • CLI-driven start and migrate
  • SQLite, PostgreSQL or MySQL
Read more →

From zero to issuing tokens in three steps

Pull the image, point it at your database, and issue your first access token. 

docker pull authup/authup:latest

docker run -d \
  --name authup \
  -p 3000:3000 \
  -v authup:/usr/src/writable \
  authup/authup:latest \
  server/core start
Flagship deployment

One docker-compose.yml, full stack ready

The reference deployment wires the server, the consent UI, PostgreSQL and Redis into a single compose file. Bring it up locally, point a reverse proxy at it in production.

  • One Authup image provides all services via different entrypoint commands
  • PostgreSQL or MySQL persisted in a named volume, Redis for session caching
  • Configured via environment variables, a mounted .conf file, or both
Read the Docker Compose guide →
docker-compose.yml
services:
  server-core:
    image: authup/authup:latest
    restart: unless-stopped
    volumes:
      - authup:/usr/src/writable
    ports:
      - "3001:3000"
    environment:
      - DB_TYPE=postgres
      - DB_HOST=postgres
      - REDIS_URL=redis://redis:6379
    command: server/core start
    depends_on: [postgres, redis]

  client-web:
    image: authup/authup:latest
    restart: unless-stopped
    ports:
      - "3000:3000"
    environment:
      - NUXT_PUBLIC_API_URL=http://localhost:3001
    command: client/web start
    depends_on: [server-core]

  postgres:
    image: postgres:16
    environment:
      - POSTGRES_DB=authup
      - POSTGRES_USER=authup
      - POSTGRES_PASSWORD=secret

  redis:
    image: redis:7

volumes:
  authup: