Every auth flow
Email + password (Argon2id), TOTP MFA with recovery codes, WebAuthn passkeys, OAuth (Google + GitHub), passwordless email-OTP, trusted browsers, step-up authentication.
Self-hosted, by design
Runs entirely on your infrastructure. No data ever leaves your servers. Zero phone-home — even license verification is offline. There is no hosted tier, by intent.
~40 endpoints, one binary
Drop the identsphere-server Docker image into your stack. Or import identsphere-axum as a Rust crate. Or use any language — pure REST + standard JWTs.
Type-safe RBAC
Permissions are compile-time-typed enums in Rust + const-enums in TypeScript. Mistyping a role is a build error, not a runtime 403.
No proprietary anything
Bcrypt-compatible password hashes, RS256 JWTs, W3C WebAuthn, standard OAuth2.1. Migrate in or out in 2 weeks. Documented runbooks for every major competitor.
Standards-grade security
DPoP token binding, refresh-family theft detection, brute-force protection on MFA, fail-closed authorization, audit trail on every state change.
In 5 minutes
# 1. Run IdentSphere + Postgres
docker run -d --name pg -e POSTGRES_PASSWORD=demo -p 5432:5432 postgres:16
docker run -d --name identsphere -p 4000:4000 \
-e DATABASE_URL=postgres://postgres:demo@host.docker.internal:5432/postgres \
-e IDENTSPHERE_JWT_SECRET=$(openssl rand -base64 48) \
pradumna/identsphere-server
# 2. Register a user
curl -X POST http://localhost:4000/v1/auth/register \
-H 'Content-Type: application/json' \
-d '{"email":"alice@example.com","password":"correcthorsebattery","organization_name":"Acme"}'
# 3. Sign in
curl -X POST http://localhost:4000/v1/auth/login \
-H 'Content-Type: application/json' \
-d '{"email":"alice@example.com","password":"correcthorsebattery"}'
Three commands, working auth backend. From here you can wire it into any language — Python, Go, Node, Java, Ruby, PHP, or plain HTTP.
Who this is for
- B2B SaaS that sells to companies with security requirements but doesn't want to pay $1,800/mo to Clerk for 100k MAU
- Regulated industries (healthcare, fintech, govtech) that need self-hosted auth with audit trails and zero-third-party-data-sharing
- Anyone building a startup who wants production auth in 30 minutes without vendor lock-in
Comparison
| Feature | IdentSphere | Clerk | Auth0 | WorkOS | Keycloak |
|---|---|---|---|---|---|
| Self-hosted | ✅ | ❌ | ❌ | ❌ | ✅ |
| Modern UX | ✅ | ✅ | ✅ | ✅ | ❌ |
| Passkeys | ✅ | ✅ | Add-on | Beta | ❌ |
| Flat-rate pricing | ✅ | ❌ (per-MAU) | ❌ (per-MAU) | ❌ (per-connection) | Free |
| Source-available | ✅ (BSL) | ❌ | ❌ | ❌ | ✅ (Apache 2) |
| Modern stack | Rust / TS | TS | TS | TS | Java |
| Zero phone-home | ✅ | ❌ | ❌ | ❌ | ✅ |