Deployable identity infrastructure for hosted sign-in, account management, administration, and standard OIDC.
FlareAuth gives a product team its own auth realm: one user pool, one issuer, one admin console, and one hosted account center. Multiple applications can share the same realm when they should share accounts and administrators.
For products that need separate users, administrators, issuer URLs, or sign-in policy, deploy another FlareAuth instance.
Better Auth is a strong foundation, but wiring it into every product means repeating the same user tables, hosted pages, OAuth clients, admin controls, email flows, security policy, deployment settings, and operational checks.
FlareAuth packages that work once as a deployable auth service. Product apps integrate through OIDC, while teams manage users, applications, connectors, and policy from one dedicated identity layer.
FlareAuth runs Better Auth inside a Cloudflare Worker. The Worker serves hosted auth pages, account management, admin APIs, OIDC discovery, OAuth flows, and Management API endpoints from the same deployment.
Cloudflare D1 stores auth and configuration data, Drizzle owns the schema, Hono exposes the HTTP surface, and the React console provides the hosted user and admin experience.
- Hosted sign-in, sign-up, password recovery, and OAuth consent.
- Account center for profile, credentials, sessions, MFA, passkeys, and linked accounts.
- Admin console for applications, users, connectors, security policy, branding, organizations, roles, API resources, webhooks, and deployment readiness.
- Standard OIDC integration for product applications.
- Public Management API with generated OpenAPI contract.
- Agent-operable administration through an installable FlareAuth skill.
- Cloudflare Deploy Button setup for low-cost per-product deployments.
Use FlareAuth as the identity provider for your product applications. Product apps integrate through standard OIDC discovery, authorization code with PKCE, token exchange, and callback handling.
Users can manage their profile, password, MFA, passkeys, active sessions, linked accounts, and authorized applications from the hosted account center.
Administrators can configure product applications, login methods, external identity connectors, branding, security requirements, organizations, roles, API resources, webhooks, and deployment health.
Every admin capability is available through the Management API. The OpenAPI contract is served by each deployment at:
/api/management/openapi.json
Use the Deploy to Cloudflare button at the top of this page for each product auth realm.
After deployment:
- Open the deployed URL.
- Complete first-admin onboarding.
- Configure sign-in methods and product applications in the admin console.
- Point product applications at the deployment's OIDC discovery URL.
For upgrade and operational details, see:
Register an application in FlareAuth, configure its redirect URI, then use the deployment's OIDC discovery endpoint:
/api/auth/.well-known/openid-configuration
Public browser and native clients should use authorization code with PKCE. Server-side confidential clients should authenticate at the token endpoint using the client credentials shown in the FlareAuth application record.
Product applications do not need to call the Management API for normal user login. The Management API is for administration and automation.
Install the skill:
npx skills install saltbo/flareauthThen tell your agent what to configure:
Use FlareAuth to add a complete user system to this project.
The agent will ask for the FlareAuth deployment and application details it needs.