A production-minded, self-hosted authentication platform for modern apps, built with OAuth 2.0 + PKCE, multi-tenant isolation, passkeys (WebAuthn), and hosted auth screens.
GitHub: https://github.com/darshan-pr/Auth-Platform LinkedIn:https://www.linkedin.com/feed/update/urn:li:activity:7433885576686256128/
Auth Platform helps teams ship secure login and authorization without rebuilding auth from scratch for every product.
It provides:
- A hosted user auth experience (sign in, sign up, forgot/reset password)
- OAuth 2.0 Authorization Code Flow with PKCE
- Multi-tenant application management from a built-in admin console
- Token issuance/verification, refresh, and advanced protection features (including DPoP)
Most small and mid-size teams struggle with:
- Implementing secure auth flows correctly
- Managing auth across multiple apps/tenants
- Handling OTP, passkeys, token refresh, and security hardening consistently
This platform solves that by centralizing identity and security into one reusable service.
- Hosted authentication UI with app branding support (including per-app logo)
- OAuth authorization endpoint + secure code exchange
- App-specific and tenant-aware user identity boundaries
- Email/password login with optional OTP enforcement
- Forgot password and set-password flows with secure email delivery
- Passkey registration/authentication (WebAuthn)
- Admin console for app/user lifecycle management
- Login event tracking and operational stats
- RS256 JWT access and refresh tokens
- HttpOnly cookie protection for admin sessions
- Brute-force and rate-limit protections
- Email enumeration-safe forgot-password behavior
- Per-app secret handling with secure verification
- CSRF protection for browser-sensitive routes
- DPoP support for sender-constrained tokens (RFC 9449 style)
backend/
app/
api/ # auth, oauth, admin, token, health endpoints
services/ # OTP, JWT, OAuth, mail, passkey, security utilities
models/ # SQLAlchemy entities
templates/ # hosted auth and reset-password pages
static/ # admin console and docs UI
assets/ # UI/media assets
migrations/ # SQL schema migrations
tests/ # automated backend tests
next-app/ # sample client app integration
frontend/ # additional frontend assets
run.sh # local/dev/prod-like service runner
cp .env.example .env
# Fill database, redis, smtp, jwt values
docker compose up -dsource .venv/bin/activate
bash run.shrun.sh supports:
- Dev mode (
uvicorn --reload) - Deployment mode (
gunicorn+ Cloudflare tunnel URL output) - Controlled startup/shutdown for backend and tunnels
To avoid migration deadlocks/noise in multi-worker mode:
- Migrations are run once before server workers boot
- Worker startup migration execution is disabled via
RUN_DB_MIGRATIONS_ON_STARTUP=false
You can still force startup migrations by setting:
RUN_DB_MIGRATIONS_ON_STARTUP=true- Backend API:
http://localhost:8000 - Swagger/OpenAPI:
http://localhost:8000/docs - Developer Docs UI:
http://localhost:8000/api/docs - Admin Console:
http://localhost:8000/login
| Variable | Purpose |
|---|---|
DATABASE_URL |
PostgreSQL connection string |
REDIS_URL |
Redis connection for OTP/rate limiting/state |
JWT_SECRET |
JWT signing and security secret |
SMTP_SERVER, SMTP_PORT, SMTP_USER, SMTP_PASSWORD |
Email delivery configuration |
AUTH_SERVER_URL |
Public auth server base URL |
AUTH_PLATFORM_URL |
Public platform URL used in templates/links |
ALLOWED_ORIGINS |
CORS allowlist |
RUN_DB_MIGRATIONS_ON_STARTUP |
Toggle boot-time migrations |
cd backend
source .venv/bin/activate
python -m pytest tests/ -vThis project can be deployed on Railway, Render, Fly.io, AWS, GCP, or any platform that supports:
- Python runtime
- PostgreSQL
- Redis
For production, use:
- TLS everywhere
- strong secrets
- managed Postgres/Redis
- SMTP provider with domain verification
MIT