Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Persona Identity Provider

A Persona Identity Provider (also known as IdP).

Allows logging in to Persona-enabled sites with an email address hosted using your own server.

How does it work

The code assumes you have a MTA running on your server that accepts email for your domain. When provided with a login and password, it will authenticate users by logging in ot the MTA over SMTP.

Imagine your email is You have a MTA running on (for instance Exim) that you can log into using as the username and s3cr3t as the password. When you open a Persona-enabled site, the following will happen:

  • the support document will be loaded from (this document is generated by the IdP daemon)
  • your browser will load the provisioning document from (included with this code)
  • if the IdP daemon determines you have a valid session on you will be logged in to the site - you're done!
  • if not, you will be redirected to the login document at (also included with this code)
  • after entering your SMTP credentials, the IdP daemon will try to authenticate to the MTA
  • if successful, a session will be created by the IdP daemon
  • the Persona-enabled site will then log you in

The daemon provides four endpoints:

  • /browserid that returns the BrowserID support document
  • /has-session/ that checks if you have a session open
  • /login/ that handles validating credentials using SMTP and creating a session if successful
  • /certificate/ that creates a certificate proving that your browser can act on behalf of the user you're authenticating as

Also included in the code are two simple HTML pages with the Javascript code necessary for the whole process:

  • /persona/provisioning/index.html
  • /persona/login/index.html

For more about the BrowserID protocol, see the Developer Documentation


Generate a RSA key in PEM format:

ssh-keygen -f /path/to/key -t rsa -b 2048

Create an SQLite database for sessions:

sqlite3 /path/to/db 'create table sessions(session_id text primary key, email text, expires int)'

Install the SQLite driver dependency:

go get

Build the IdP daemon:

go build auth/idp.go

Assuming your email is and the server you are using is, start the daemon:

./idp -cert-issuer -private-key /path/to/key -session-db /path/to/db

Configure your HTTP server to proxy certain requests to the IdP daemon. Here's an example snippet for Nginx (remember you need a valid SSL certificate):

server {
    listen 443 ssl;

    location /persona/ {
        index index.html;
        alias /path/to/persona-idp/persona/;

    location /.well-known/ {

    location /persona/auth/ {

Make sure your MTA allows plain text logins when connected from

You are now ready to try Persona. Go to any Persona-enabled site (like and try it out!


Persona Identity Provider







No releases published


No packages published