Skip to main content

Why IdentSphere

There are no shortage of authentication products. So why one more?

Auth0 / Okta / Clerk / WorkOS

The hosted SaaS auth market is mature. These products are excellent at what they do. They are also:

  • Closed source. You can't read the code that's making access-control decisions on your user data.
  • Per-MAU priced. Pricing climbs steeply at scale and is unpredictable when your traffic spikes.
  • Cross-border. Your users' emails, password hashes, and MFA secrets sit on servers your compliance team didn't audit.
  • Lock-in. The data model and tokens are bespoke; migrating off requires re-onboarding every user.

If those tradeoffs are fine for you, IdentSphere is probably the wrong tool. The hosted vendors will out-feature us on shiny corners (admin dashboards, adaptive risk scoring, fraud detection).

Keycloak / Authentik / Ory

The self-hostable, open-source alternatives. IdentSphere's closest cousins.

  • Keycloak is JVM-heavy, complex, and tuned for federation-heavy enterprise workloads. The configuration surface is enormous; running it well is a full-time job.
  • Authentik is younger, Python-based, and has a similar configuration-heavy posture.
  • Ory is a constellation of services (Kratos, Hydra, Keto, Oathkeeper) you wire together yourself. The composition is powerful but the operational surface is large.

IdentSphere is opinionated where they're flexible. We give you one HTTP API, one database, one Docker image, and a typed React SDK. That's the entire product. The tradeoff: we won't do SAML federation, LDAP sync, or 14 identity-source connectors in v0.1. The premium modules add some of that later; the OSS core stays small.

Build it yourself

The 200-line passport-local + JWT scaffold is a classic. Then you add MFA, then you add passkeys, then you discover refresh-token rotation, then trusted browsers, then session revocation across a fleet, then RBAC, then audit logs, then you realize you needed to think about constant-time comparisons two years ago.

IdentSphere is the "I've done this three times, here are the bones you actually need" library. It is roughly the auth scaffolding of three prior SaaS apps, distilled to a single SDK.

When IdentSphere fits

  • You're building a B2B SaaS app with multi-tenant orgs + RBAC.
  • You want to run your auth on your own infrastructure.
  • You prefer Rust or you want a typed Rust ↔ TypeScript surface.
  • You need passkeys, MFA, social OAuth, audit trail — and you want it working in an afternoon.
  • You care about exit cost. Argon2 hashes export anywhere; the schema is yours forever.

When IdentSphere doesn't fit

  • You need federated SSO with custom SAML attribute mappings on day one. (v0.2's premium SAML module will help — but if it's blocking, Keycloak ships today.)
  • You're a pure consumer-app shop with no organization concept. IdentSphere's RBAC is org-shaped; you'd be using the wrong tool.
  • You have a strict no-Postgres constraint. IdentSphere requires Postgres 14+.
  • You need the hosted "click a button, done" SaaS experience. IdentSphere runs on your boxes; you run them.

The honest summary

IdentSphere's bet: most B2B SaaS auth is the same auth. Bake the standard flows into a self-hostable, exit-cost-zero SDK and stop reimplementing them. The interesting auth lives at the edges (federation, fraud, threat intel) — pay for that when you need it; bring your own infrastructure for the rest.