Authorizer screenshot thumbnail

Authorizer

Your users belong in your own database - Authorizer, an open-source authentication and authorization server shipping as a single Go binary, keeps them there. It connects to 13+ backends - PostgreSQL, MySQL, SQLite, SQL Server, MariaDB, MongoDB, Cassandra, ScyllaDB, ArangoDB, DynamoDB, Couchbase, YugabyteDB, PlanetScale, and CockroachDB - so identity data lives beside the application it protects instead of in an auth vendor's cloud. The server is fully OAuth 2.0 and OpenID Connect compliant, including authorization code flow with PKCE, a JWKS endpoint, token revocation, and nine JWT signing algorithms. Login options cover email/password, magic links, TOTP multi-factor, SMS OTP via Twilio, and social providers including Google, GitHub, Apple, Microsoft, and Discord. Authorization goes beyond roles: an embedded OpenFGA engine provides Zanzibar-style relationship-based permission checks in process. APIs are exposed over GraphQL, REST, and gRPC, with SDKs for JavaScript, React, Go, and Python, plus themeable built-in login pages and an admin dashboard. Apache 2.0 licensed.

Deploy
Supertokens Core screenshot thumbnail

Supertokens Core

Authentication that lives inside your application rather than behind a redirect to an external identity provider - SuperTokens takes a fundamentally different architecture from Auth0 and AWS Cognito. Three tiers make that work - frontend SDKs (React, Angular, Vue, vanilla JS, React Native) render overridable login UI and manage tokens; backend SDKs (Node.js, Python, Go) expose auth endpoints on your own API domain; and SuperTokens Core, the piece you host here, is the stateless HTTP service handling core auth logic, password hashing, token signing, and database operations against PostgreSQL. The recipe system keeps features decoupled: use email/password, social login, passwordless (magic links, OTP), phone-password, multi-factor authentication (TOTP, WebAuthn), user roles, and microservice auth - individually or combined; you can even use SuperTokens purely for session management alongside another login provider. Sessions are where it shines: rotating refresh tokens with theft detection, automatic access-token refresh, CSRF protection, and secure cookie handling out of the box - the details that become vulnerabilities when hand-rolled. Verification happens locally in your backend via cached JWT signing keys, so the Core stays off the hot path. Self-hosted means no user limits, free forever, with all user data in your database. Apache-licensed.

Deploy
Zitadel screenshot thumbnail

Zitadel

Securing a SaaS product, running B2B onboarding, or replacing Auth0 and Keycloak with a stack they own - teams needing more than basic auth reach for ZITADEL, an open-source identity and access management platform built in Go. Its multi-tenancy model is the differentiator: a strict Instance, Organization, Project hierarchy isolates data and scopes policy at each level, with identity brokering (pre-built templates for Google, GitHub, Microsoft, Apple, plus generic OIDC, OAuth, SAML, and LDAP), domain discovery that routes users to the right organization by email domain, and delegated management so customers administer their own users and roles. Authentication covers OpenID Connect (certified, including device authorization and token exchange), SAML 2.0 as both IdP and SP, SCIM, FIDO2 passkeys for phishing-resistant passwordless login, and MFA via OTP, email, SMS, and U2F; machine-to-machine flows support JWT profile, PATs, and client credentials. The architecture is event-sourced - every mutation is an immutable event, yielding a complete audit trail - with relational projections for queries and no external session store, so it scales horizontally. API-first with gRPC and REST, extensible via Actions webhooks, and the same codebase self-hosted (Docker Compose or Helm on PostgreSQL) as in the cloud.

Deploy