If you've ever been frustrated by per-seat auth pricing, vendor lock-in, or shipping your users' data to someone else's cloud — this release is for you.

TL;DR: Single Go binary. 13+ database backends. CLI-driven config. OAuth 2.0/OIDC compliant. Deploy in 5 minutes. Free forever.

GitHub | Docs | Website | Migration Video

Why We Built v2

Authorizer v1 worked. Teams used it in production. But we kept hearing the same feedback:

"Config stored in the database felt fragile." "I want to manage auth config the same way I manage everything else — through code." "It's hard to audit what changed and when."

So we rethought the entire configuration model.

v1: Configuration lived in the database, encrypted. You changed settings through the dashboard UI or a GraphQL mutation. Convenient, but opaque — you couldn't version-control your auth config, couldn't audit changes easily, and secrets sat in a persistent store.

v2: All configuration is passed via CLI flags at startup. That's it. No .env files. No database-stored config. No mutation to accidentally expose secrets. Your auth server is configured the same way you configure every other 12-factor service.

authorizer \
  --database-type postgres \
  --database-url "postgres://user:pass@localhost:5432/auth" \
  --jwt-type=HS256 \
  --jwt-secret=test \
  --admin-secret=admin \
  --client-id=123456 \
  --client-secret=secret

That's a production-ready auth server. One command. No magic.

What's in v2

13+ Database Backends

Use whatever database your team already runs:

No other open-source auth server supports this many backends. If you're already running MongoDB or DynamoDB — you don't need to spin up a separate Postgres just for auth.

11 Social Login Providers

Google, GitHub, Facebook, Apple, LinkedIn, Microsoft, Discord, Twitter, Twitch, Roblox — all configured with a pair of CLI flags:

--google-client-id "..." --google-client-secret "..."
--github-client-id "..." --github-client-secret "..."

Multi-Factor Authentication

• TOTP — Google Authenticator, Authy, 1Password

• Email OTP — One-time codes via email

• SMS OTP — Via Twilio integration

• Enforceable globally with --enforce-mfa

Full OAuth 2.0 / OIDC Compliance

• Authorization code flow with PKCE (RFC 7636)

• Implicit token and ID token flows

• JWKS endpoint (/.well-known/jwks.json)

• 9 JWT signing algorithms (HS256/384/512, RS256/384/512, ES256/384/512)

• Custom access token claims via JavaScript scripts

Developer Experience

• GraphQL API — Introspectable schema, admin operations prefixed with _

• REST endpoints — Standard OAuth 2.0/OIDC paths

• SDKs — React, JavaScript, Go, Svelte, Vue, Flutter

• Built-in UI — Login/signup pages out of the box, themeable

• Admin dashboard — User management, role assignment, email templates

• Webhooks — 8 event types for real-time integrations

Role-Based Access Control

Define roles, set defaults, protect sensitive ones:

--roles "user,admin,editor" \
--default-roles "user" \
--protected-roles "admin"

One-Command Deployment

# Docker
docker run -p 8080:8080 -u root \
  -v authorizer_data:/authorizer/data \
  lakhansamani/authorizer \
  --database-type=sqlite \
  --database-url=/authorizer/data/data.db \
  --client-id=123456 \
  --client-secret=secret \
  --admin-secret=admin \
  --jwt-type=HS256 \
  --jwt-secret=test
# Or one-click deploy on Railway, Heroku, Render, Koyeb

Single binary. No JVM. No app server. No runtime dependencies.

What Changed From v1

If you're upgrading, here's what matters:

We wrote a detailed migration guide covering every breaking change. Prefer video? Here's a step-by-step migration walkthrough on YouTube.

What's Coming Next: The Roadmap

We're not stopping here. Here's what's planned across five phases:

Phase 1: Security Hardening

The foundation for enterprise adoption:

• Rate limiting & brute force protection — Per-IP, per-user throttling and account lockout

• CAPTCHA integration — Cloudflare Turnstile and Google reCAPTCHA v3

• Leaked password detection — Have I Been Pwned API integration

• Structured audit logs — Queryable event trail for compliance

• Prometheus metrics — /metrics endpoint for observability

• Session security — Device fingerprinting, unrecognized device alerts, remote revocation

Phase 2: Authorization & Machine-to-Machine

Moving beyond basic RBAC:

• Fine-grained permissions — Resource-level access control (document:read, project:admin)

• M2M authentication — OAuth 2.0 client credentials grant for service-to-service

• Service accounts — Application identities that aren't tied to humans

• API key management — Let your users create and manage their own API keys

• Organization enhancements — Domain-based routing, org-level policies, invitations

Phase 3: Enterprise SSO & Federation

What enterprise buyers ask for on day one:

• SAML 2.0 — Connect to Okta, Azure AD, OneLogin

• SCIM 2.0 / Directory Sync — Automated user provisioning and deprovisioning

• Authorizer as OIDC Provider — Issue tokens for downstream services

• Self-service admin portal — Let customer IT teams configure their own SSO

Phase 4: AI-Era Authentication

Auth is changing. AI agents need identity too:

• MCP (Model Context Protocol) authorization — Secure tool access for AI agents

• Agent-to-Agent (A2A) authentication — Identity and delegation for autonomous agents

• OAuth 2.1 compliance — Mandatory PKCE, no implicit grant, refresh token rotation

• Token exchange (RFC 8693) — Delegation and impersonation flows

• Dynamic client registration (RFC 7591) — Programmatic OAuth client creation

Phase 5: Advanced Security & Modern Standards

• Passkeys / WebAuthn (FIDO2) — Passwordless with hardware keys

• DPoP (RFC 9449) — Proof-of-possession tokens to prevent token theft

• Advanced bot protection — Risk scoring, credential stuffing detection

• SIEM integration — Stream logs to Datadog, Splunk, Elastic

The full roadmap is on GitHub.

Why Self-Hosted Auth Matters in 2026

Three trends are making self-hosted auth more relevant than ever:

1. Data sovereignty isn't optional anymore. GDPR enforcement is accelerating. New regulations in India, Brazil, and across APAC require data residency. If your auth provider stores user data in a region you can't control, you have a compliance problem.

2. Auth pricing doesn't scale. Hosted auth providers get expensive fast — they charge per user, per connection, or per feature. With Authorizer, you pay for a server. That's it.

3. AI agents need auth too. MCP, A2A, and OAuth 2.1 are the emerging standards for agent authentication. The auth layer needs to evolve — and you want that evolution to happen on infrastructure you control.

Get Started

5-minute quickstart:

docker run -p 8080:8080 -u root \
  -v authorizer_data:/authorizer/data \
  lakhansamani/authorizer \
  --database-type=sqlite \
  --database-url=/authorizer/data/data.db \
  --client-id=123456 \
  --client-secret=secret \
  --admin-secret=admin \
  --jwt-type=HS256 \
  --jwt-secret=test

Open http://localhost:8080 — you have a working auth server with a login page.

Add it to your React app:

npm install @authorizerdev/authorizer-react

import { AuthorizerProvider, Authorizer } from '@authorizerdev/authorizer-react';

function App() {
  return (
    <AuthorizerProvider
      config={{
        authorizerURL: 'http://localhost:8080',
        redirectURL: window.location.origin,
        clientID: 'my-app',
      }}
    >
      <Authorizer />
    </AuthorizerProvider>
  );
}

That's email/password auth, social logins, and session management — in 15 lines.

One-click cloud deploy:

• Railway

• Heroku

• Render

Join the Community

• Star us on GitHub: github.com/authorizerdev/authorizer

• Website: authorizer.dev

• Read the docs: docs.authorizer.dev

• Watch the migration video: YouTube — v1 to v2 migration

• Join Discord: discord.gg/n7DfTjCAn — Chat with the team and other developers

• Contribute: Check out our contributing guide

Authorizer is Apache 2.0 licensed. It's free, it's open source, and your data stays yours.

We'd love your feedback, bug reports, and contributions. If this solves a problem for you — give us a star. It helps more than you think.

Sponsor Authorizer

Authorizer is built and maintained by the community. If it saves you time or money, consider sponsoring the project to keep development going:

Sponsor Authorizer on GitHub

Built with Go. Powered by the community. Owned by you.

About the author: I'm Lakhan Samani, creator of Authorizer. Connect with me on LinkedIn or X/Twitter.

For the demo purpose, we will be using [Express](https://expressjs.com/) server and writing a middleware that will validate user sessions & roles based on the JWT (JSON Web Token) in the Authorization header.

Refer to the source code on github.

Step 1: Setup Authorizer Instance

Deploy production-ready Authorizer instance using one-click deployment options available below

For more information & deployment options like docker / Kubernetes / helm charts refer to the docs

Configure Instance

• Open the Authorizer instance endpoint in a browser

• SignUp as an Admin with a secure password

• Configure environment variables from the dashboard. Check env docs for more information.

  Note: DATABASE_URL , DATABASE_TYPE , REDIS_URL are the variables that can only be configured as the authorizer instance's system environment variable.

Step 2: Create Express App

Note: This step is optional if you already have a Nodejs application up and running

• Setup project

    # Create directory
    mkdir my-apis
  
    # Change directory
    cd my-apis
  
    # Initialize nodejs APP
    npm init -y
  
    # Install express
    npm install express
  
    # Create index.js
    touch index.js
  

• Add Start Command to package.json

    {
      "name": "my-apis",
      "version": "1.0.0",
      "description": "",
      "main": "index.js",
      "scripts": {
        "start": "node index.js",
        "test": "echo \"Error: no test specified\" && exit 1"
      },
      "keywords": [],
      "author": "Lakhan Samani",
      "license": "ISC",
      "dependencies": {
        "express": "^4.18.2"
      }
    }
  

• Setup Express App and Create a basic API in index.js

    // index.js
    const express = require('express');
  
    const app = express();
    const port = `3000`;
  
    app.get('/', (req, res) => {
      res.send('Hello World');
    });
  
    app.listen(port, () => {
      console.log(`[server]: Server is running at http://localhost:${port}`);
    });
  

Step 3: Create Authorization Middleware

• Install @authorizerdev/authorizer-js

    npm i --save @authorizerdev/authorizer-js
  

• Create auth_middleware.js

    touch auth_middleware.js
  

• Implement authorization middleware

    // auth_middleware.js
  
    const { Authorizer } = require("@authorizerdev/authorizer-js");
  
    const authRef = new Authorizer({  
      authorizerURL: "AUTHORIZER_URL_FROM_STEP 1",
      redirectURL: "FRONTEND_URL",
      clientID: "AUTHORIZER_CLIENT_ID FROM DASHBOARD"
    });
  
    const authMiddleware = async (req, res, next) => {
        const authHeader = req.headers.authorization;
      if (!authHeader) {
        return res.status(403).json({ error: "Authorization not found" });
      }
  
      const splitHeader = authHeader.split(" ");
      if (splitHeader.length != 2) {
        return res.status(403).json({ error: "Invalid auth header" });
      }
  
      if (splitHeader[0].toLowerCase() != "bearer") {
        return res.status(403).json({ error: "Bearer token not found" });
      }
  
      const token = splitHeader[1];
      // Validate jwt token via authorizer sdk
      try {
        const res = await authRef.validateJWTToken({
          token,
          token_type: "id_token", // This can be access_token, refresh_token
           // roles: [user] // specify roles that you want to validate jwt for, by default it will just verify jwt.
        });
        req.user = res.claims;
      } catch (err) {
        console.error(err);
        return res.status(403).json({ error: "Invalid JWT token" });
      }
  
      next();
    }
  
    module.exports = authMiddleware
  

Step 4: Add auth middleware to APIs

Update index.js with following content

// index.js
const express = require('express');
const authMiddleware = require('./auth_middleware')

const app = express();
const port = `3000`;

app.get('/', authMiddleware, (req, res) => {
  res.send('Hello World');
});

app.listen(port, () => {
  console.log(`[server]: Server is running at http://localhost:${port}`);
});

Step 5: Test the API

• Start API Server

    npm start
  

• Make a curl request

    curl http://localhost:3000
  

Note: This will return an error, as we have not specified the Authorization header with a valid JWT token

• For this test to pass we need to have a valid JWT token, so let's generate a valid JWT by making a login call to the authorizer server

    # Replace Authorizer URL from step 1
    # Replace credentials with right credentials in --data-raw (demo@yopmail.com, Test@123#)
    # If you have no user on your instance, first signup using AUTHORIZER_URL_FROM_STEP_1/app?redirect_uri=AUTHORIZER_URL_FROM_STEP_1/app
  
    curl --location --request POST 'AUTHORIZER_URL_FROM_STEP_1/graphql' \
    --header 'Content-Type: application/json' \
    --data-raw '{"query":"mutation login {\n  login(params: {\n    email: \"demo@yopmail.com\",\n    password: \"Test@123#\"\n  }) {\n    id_token\n  }\n}","variables":{}}'
  

  This should return an id_token in response, as shown in the screenshot below. Copy the id_token from the response and pass it to our nodeJS API server

• Test the API

    curl --header 'Authorization: Bearer TOKEN_COPIED_FROM_ABOVE_STEP' http://localhost:3000
  

That's all I hope this helps you authorize your APIs easily and make them secure based on the correct session and roles.

For more information check out the links below.

• Website: https://authorizer.dev

• Docs: https://docs.authorizer.dev

• Github: https://github.com/authorizerdev/authorizer

• React SDK: https://github.com/authorizerdev/authorizer-react

• Javascript SDK: https://github.com/authorizerdev/authorizer-js

• Youtube: https://youtube.com/playlist?list=PLSQGbUjHc6bpaAgCiQPzNxiUPr7SkDAFR

• Examples: https://github.com/authorizerdev/examples/

• Discord: https://discord.gg/Zv2D5h6kkK

• Github Sponsorship: https://github.com/sponsors/authorizerdev/

• Buy me Coffee: https://www.buymeacoffee.com/lakhansamani

Authorizer is database independent open source auth solution. It supports 12+ databases including all the major SQL, NoSQL and Graph databases.

So, as a part of demo I created a Task Manager (TODO) application, which will allow authenticated user to

• Create Task
• Watch their own tasks
• Mark Task as done
• Delete Task

The tech stack we will be using is:

• DynamoDB to store user information and tasks
• Authorizer to authenticate and authorize users
• GoLang Gin Server to create tasks apis
• React to create frontend application
• EKS to deploy authorizer & go-gin server
• Netlify to deploy frontend application

Here is a small architecture diagram demonstrating how the overall application will look like

Code Repository

Github Repository: This repository contains code for TODO API, Frontend Application, EKS Cluster Creation, Ingress / Domain Setup

Let's Get Started

Prerequisite

• aws account
• iam user with permission for DynamoDB, EKS, EC2, IAM Policy Creation, Route53, EBS Controller
• kubectl
• awscli
• eksctl
• helm
• Configure AWS profile on your machine with user credentials
• Export your AWS credentials

  aws configure --profile PROFILE_NAME
  export AWS_PROFILE=PROFILE_NAME
  export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID
  export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY
  

Step 1: Clone the Repository

git clone https://github.com/lakhansamani/authorizer-aws-demo.git

cd authorizer-aws-demo

Step 2: Create EKS Cluster

Note: You can update machine configuration in eks.yaml file.

eksctl create cluster -f eks.yaml

Step 3: Install Nginx Ingress

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

helm repo update

helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
 --namespace ingress-nginx \
 --create-namespace \
 --timeout 600s \
 --debug \
 --set controller.publishService.enabled=true

Step 4: Install Cert Manager

Cert manager is used to generate TLS certificate

helm repo add jetstack https://charts.jetstack.io

helm repo update

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml

helm install \
 cert-manager jetstack/cert-manager \
 --namespace cert-manager \
 --create-namespace \
 --version v1.8.2

Step 5: Install Authorizer

Note: Please change authorizer.authorizer_url as per your domain and URL.

helm repo add authorizer https://helm-charts.authorizer.dev

helm repo update

helm install \
 --set authorizer.database_type=dynamodb \
 --set authorizer.aws_access_key_id=${AWS_ACCESS_KEY_ID} \
 --set authorizer.aws_secret_access_key=${AWS_SECRET_ACCESS_KEY} \
 --set authorizer.aws_region=us-east-1 \
 --set authorizer.authorizer_url=https://auth.aws-demo.authorizer.dev \
 --set redis.install=true \
 --set redis.storage=5Gi \
 --set redis.storageClassName=gp2 \
 --set securityContext.readOnlyRootFilesystem=false \
authorizer authorizer/authorizer

Step 6: Create Route53 Hosted Zone

• Create Hosted Zone
• Create Subdomain Record with classic load balancer and select loadbalancer created by nginx

Example: auth.aws-demo.authorizer.dev in below screenshot

Step 7: Create Cluster Issuer with dns01 challenge

Note: Change email & hostzoneID as per step5 in cluster_issuer.yaml

Cert manager will add txt record and will verify the domain details using this issuer.

kubectl apply -f cluster_issuer.yaml

Step 8: Create Ingress for authorizer

Note: Change authorizer domain as per your auth domain in authorizer_ingress.yaml

kubectl apply -f authorizer_ingress.yaml

Open your authorizer dashboard, configure admin password and get client ID.

Step 9: Deploy API resources

Note: Change authorizer_client_id to based64 encoded value authorizer client_id value obtained in step 7 in api.yaml L:8. Also change domain name in ingress section.

kubectl apply -f api.yaml

Step 10: Deploy frontend

You can deploy frontend to provider of your choice OR on the same stack. For demo purpose I have deployed it on Netlify and connected subdomain there.

Thats all you need. Hope it makes your life easier to deploy authorizer + any other service on AWS

For more information check

• Website: https://authorizer.dev
• Docs: https://docs.authorizer.dev
• Github: https://github.com/authorizerdev/authorizer
• React-SDK: https://github.com/authorizerdev/authorizer-react
• JS-SDK: https://github.com/authorizerdev/authorizer-js
• Youtube: https://youtube.com/playlist?list=PLSQGbUjHc6bpaAgCiQPzNxiUPr7SkDAFR
• Discord: https://discord.gg/Zv2D5h6kkK
• Github Sponsorship: https://github.com/sponsors/authorizerdev
• Buy me coffee: https://www.buymeacoffee.com/lakhansamani