Foundation Platform · In Production

Identity for the Koder Stack

Cloud-native IAM with OIDC, OAuth2, MFA, passkeys, brute-force protection, and SSO. The identity backbone for every product in the Koder ecosystem.

Sign In Explore Features 
# OIDC Discovery
GET /.well-known/openid-configuration

# Authorization Code + PKCE
GET /oauth/v2/authorize
  ?response_type=code
  &client_id=my-app
  &code_challenge=S256
  &redirect_uri=https://app.example.com/cb

# Token exchange
POST /oauth/v2/token
  client_id=my-app
  code=auth_code_here
  code_verifier=pkce_verifier

# Userinfo
GET /oidc/v1/userinfo
Authorization: Bearer <access_token>

# JWKS (public keys for JWT validation)
GET /oauth/v2/keys

Production-Ready IAM

Every identity and access management feature your platform needs, built from scratch in Go.

🔐
OIDC / OAuth2

Full OpenID Connect and OAuth 2.0 with Authorization Code + PKCE, Client Credentials, and Refresh Token flows. RS256 JWT access tokens with JWKS endpoint.

🔑
MFA & Passkeys

TOTP, WebAuthn/FIDO2 passkeys (hardware-backed, passwordless), and email/SMS OTP. Pluggable MFA stack per user or org policy.

🌐
Single Sign-On

One login for the entire Koder ecosystem. OIDC SSO across all products — users sign in once and access everything.

🏢
Multi-Tenant

Tenant resolution by subdomain, custom domain, or header. Tenant-isolated user pools, policies, and configurations.

🛡️
Security First

Argon2id password hashing, brute-force protection, rate limiting, CORS, password strength policies, and client secret hashing.

🔄
Session Management

Hybrid sessions: JWT access tokens (15min) + stateful refresh tokens (30 days). Token rotation, reuse detection, and active session listing.

👤
User Management

Full CRUD API for users, groups, and roles. Admin console, self-service profile and password, and email verification.

🔧
Developer-First API

Clean RESTful API, introspection, revocation, dynamic client registration, and admin bootstrap endpoints.

📊
Observability

Prometheus metrics, structured JSON logs via zerolog, health check endpoint, and distributed tracing.

OIDC Endpoints at a Glance

Standard OIDC and OAuth 2.0 endpoints — compatible with any library or framework.

Standard Protocol Endpoints

All endpoints follow OIDC Core 1.0, OAuth 2.0 RFC 6749/7636, and related standards. Compatible with any OIDC library.

  • Discovery at /.well-known/openid-configuration
  • Authorization Code with PKCE S256
  • Refresh token rotation with reuse detection
  • Dynamic client registration (RFC 7591)
# Standard OIDC endpoints
Discovery    GET /.well-known/openid-configuration
Auth         GET /oauth/v2/authorize
Token        POST /oauth/v2/token
JWKS         GET /oauth/v2/keys
Introspect   POST /oauth/v2/introspect
Revoke       POST /oauth/v2/revoke
UserInfo     GET /oidc/v1/userinfo
End Session  GET /oidc/v1/end_session
Reg          POST /oauth/v2/register

# REST API
Users        POST/GET /v1/users
User         GET/PATCH/DEL /v1/users/{id}
Auth Flows   POST /v1/auth/flows
Sessions     GET/DEL /v1/sessions
Tenants      POST/GET /v1/admin/tenants
API Keys     POST/GET /v1/admin/api-keys

Secure by Default

Every security best practice implemented and enforced by default. No configuration required to be secure.

  • Argon2id for password hashing
  • PKCE mandatory for public clients
  • Brute-force protection on all auth endpoints
  • Token binding and reuse detection
# Create a new user
POST /v1/users
Authorization: Bearer <admin-token>
{
  "username": "alice",
  "email": "alice@koder.dev",
  "password": "<strong-password>"
}

# Start an auth flow
POST /v1/auth/flows
{ "username": "alice" }

# Complete with password
POST /v1/auth/flows/{id}/password
{ "password": "<password>" }

# Complete with TOTP
POST /v1/auth/flows/{id}/totp
{ "code": "123456" }

Architecture

Five microservices + API Gateway. Each service has its own gRPC and HTTP interface.

Internet → Gateway (:8443)
TLS termination · Rate limiting · JWT verification · Request routing
Identity (:4001 gRPC / :4011 HTTP)
User CRUD · Profile · Password hashing (Argon2id) · Email verification
Auth (:4002 gRPC / :4012 HTTP)
Auth flows · TOTP · WebAuthn/Passkeys · Brute-force protection
OAuth (:4003 gRPC / :4013 HTTP)
OIDC endpoints · PKCE · JWT (RS256) · JWKS · Client registry
Session (:4004 gRPC / :4014 HTTP)
Hybrid sessions · Token rotation · Reuse detection · Active sessions
Admin (:4005 gRPC / :4015 HTTP)
Tenant management · API keys · Bootstrap · Audit log
Storage
KDB (via REST API) with in-memory fallback for development

How It Compares

Native, fast, and built for the Koder Stack — not a third-party integration.

FeatureKoder IDAuth0KeycloakOkta
OIDC / OAuth2
PKCE (mandatory for public)
WebAuthn / Passkeys
Koder ecosystem SSO
Multi-tenant nativeEnterpriseEnterprise
Microservice architecture
No per-MAU pricing
KDB storage backend

One identity layer. Every Koder product.

Sign in once. Access everything in the Koder ecosystem.

Sign In to Koder Read the Docs