{"id":50663080,"url":"https://github.com/sgrastar/authrim","last_synced_at":"2026-06-08T04:00:43.726Z","repository":{"id":330921037,"uuid":"1093550255","full_name":"sgrastar/authrim","owner":"sgrastar","description":"✨ Authrim — OpenID Certified™ open-source edge-native OIDC Provider for modern serverless runtimes","archived":false,"fork":false,"pushed_at":"2026-06-06T01:20:57.000Z","size":25633,"stargazers_count":15,"open_issues_count":18,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-06T03:11:12.042Z","etag":null,"topics":["authentication","authorization","authrim","cloudflare","edge-computing","identity","oauth2","oidc","openid-connect","passkey","serverless","serverless-applications"],"latest_commit_sha":null,"homepage":"https://authrim.com","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sgrastar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-10T14:21:04.000Z","updated_at":"2026-06-03T17:54:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sgrastar/authrim","commit_stats":null,"previous_names":["sgrastar/authrim"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/sgrastar/authrim","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sgrastar%2Fauthrim","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sgrastar%2Fauthrim/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sgrastar%2Fauthrim/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sgrastar%2Fauthrim/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sgrastar","download_url":"https://codeload.github.com/sgrastar/authrim/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sgrastar%2Fauthrim/sbom","scorecard":{"id":1243035,"data":{"date":"2026-02-06T15:45:50Z","repo":{"name":"github.com/sgrastar/authrim","commit":"78e76d95365eb9e280064ef043d9e1c9d41ac396"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":6.9,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"2 out of 2 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: monosashi contributor org/company found, nttcom online marketing solutions corporation contributor org/company found, anthropics contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":0,"reason":"no update tool detected","details":["Warn: no dependency update tool configurations found"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: TypeScriptPropertyBasedTesting integration found: packages/ar-bridge/src/__tests__/crypto.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-bridge/src/__tests__/helpers/fc-generators.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-bridge/src/__tests__/pkce.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-lib-core/src/utils/__tests__/helpers/fc-generators.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-lib-core/src/utils/__tests__/jwt.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-lib-core/src/utils/__tests__/pkce.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-lib-core/src/utils/__tests__/validation.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-lib-scim/src/__tests__/helpers/fc-generators.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-lib-scim/src/__tests__/scim-filter.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-lib-scim/src/__tests__/scim-mapper.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-saml/src/common/__tests__/helpers/fc-generators.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-saml/src/common/__tests__/slo-messages.property.test.ts:9","Info: TypeScriptPropertyBasedTesting integration found: packages/ar-saml/src/common/__tests__/xml-encoding.property.test.ts:9"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish-setup.yml:16"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: npmCommand not pinned by hash: .github/workflows/publish-setup.yml:35","Info:  18 out of  18 GitHub-owned GitHubAction dependencies pinned","Info:   7 out of   7 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (3) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:32","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:34","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/conformance-test.yml:55","Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-setup.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:20","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-02-06T21:27:43.820Z","repository_id":330921037,"created_at":"2026-02-06T21:27:43.820Z","updated_at":"2026-02-06T21:27:43.820Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34047266,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","authrim","cloudflare","edge-computing","identity","oauth2","oidc","openid-connect","passkey","serverless","serverless-applications"],"created_at":"2026-06-08T04:00:21.533Z","updated_at":"2026-06-08T04:00:43.718Z","avatar_url":"https://github.com/sgrastar.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authrim\n\n\u003e **Open Source Identity \u0026 Access Platform for the modern web**\n\nAn open-source, serverless **Identity Hub** that combines authentication, authorization, and identity federation on **Cloudflare's global edge network**.\n\n[![Open Source](https://img.shields.io/badge/Open%20Source-Apache%202.0-green.svg)](LICENSE)\n[![TypeScript](https://img.shields.io/badge/TypeScript-5.9-blue?logo=typescript)](https://www.typescriptlang.org/)\n[![Cloudflare Workers](https://img.shields.io/badge/Cloudflare-Workers-orange?logo=cloudflare)](https://workers.cloudflare.com/)\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fsgrastar%2Fauthrim.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fsgrastar%2Fauthrim?ref=badge_shield)\n\n\u003ctable\u003e\n\u003ctr\u003e\n\u003ctd\u003e\n\u003ca href=\"https://openid.net/certification/\"\u003e\n  \u003cimg src=\"./docs/images/openid-certified.jpg\" alt=\"OpenID Certified\" height=\"100\"\u003e\n\u003c/a\u003e\n\u003c/td\u003e\n\u003ctd\u003e\n✓ \u003ca href=\"https://openid.net/certification/certified-openid-providers-profiles/\"\u003eOpenID Provider\u003c/a\u003e (7 profiles)\u003cbr\u003e\n✓ \u003ca href=\"https://openid.net/certification/certified-openid-providers-for-logout-profiles/\"\u003eLogout Profiles\u003c/a\u003e (4 profiles)\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\n## ⚠️ Pre-1.0 Software\n\nAuthrim is functional but pre-1.0. APIs may change, and no formal security audit has been completed yet.\nEvaluate thoroughly before production use.\nProduction hardening is tracked against documented deployment, operations, recovery, auditability, and protocol/security validation criteria in the roadmap.\n\nAuthrim is still under active development, and breaking changes, including database schema changes, are expected until at least 0.5.0 and possibly until 1.0.0.\n\n### For Organizations Considering Adoption\n\nAuthrim is open source, and we also accept consultations for adoption planning, evaluation, and PoC.\n\nFor details, see [Adoption Support and Consultation](./docs/adoption-support.md).\n\n## Vision\n\n**Authrim** is a unified Identity \u0026 Access Platform combining:\n\n- **Authentication** — OIDC Provider, Social Login, Passkey, SAML\n- **Authorization** — RBAC, ABAC, ReBAC policy engine built-in\n- **Identity Federation** — Multiple identity sources into one unified identity\n\nDesigned for low-latency edge deployment on Cloudflare Workers.\n\n```bash\nnpx @authrim/setup\n```\n\n[Read the full vision](./docs/VISION.md)\n\n## Quick Start\n\n### Option 1: Using the published setup package (Recommended)\n\n```bash\n# Interactive setup from npm\nnpx @authrim/setup\n\n# Or CLI mode for terminal-based setup\nnpx @authrim/setup --cli\n```\n\nThe setup package can download the Authrim source into a local project directory before provisioning and deployment.\n\nThe setup wizard will guide you through:\n- Cloudflare authentication\n- Resource provisioning (D1, KV, Queues, R2)\n- Key generation\n- Standard API capability deployment, including SAML IdP, Device Flow / CIBA, and VC SD-JWT\n- Optional Admin UI and Login UI deployment\n- Tenant discovery, including domain, email-domain, and WAYF-style tenant selection modes\n- Worker deployment\n- Initial admin creation\n\n### Option 2: Clone the source and run the setup tool\n\nUse this path when you want to inspect or modify the source code while still using the setup workflow.\n\n```bash\n# 1. Clone and install\ngit clone https://github.com/sgrastar/authrim.git\ncd authrim\npnpm install\n\n# 2. Launch the local setup tool\npnpm run setup\n```\n\nThe local setup command runs the same setup package from the workspace source.\n\n### Option 3: Scripted Setup (Development)\n\n```bash\n# 1. Clone and install\ngit clone https://github.com/sgrastar/authrim.git\ncd authrim\npnpm install\n\n# 2. Initialize a dev environment from the current setup implementation\npnpm run setup:init --env=dev --cli\n\n# Optional: deploy or inspect the generated environment from source\npnpm run setup:deploy --env=dev\npnpm run setup:info --env=dev\n\n# 3. Run locally\npnpm run dev\n# → http://localhost:8787/.well-known/openid-configuration\n```\n\nThe setup command creates `.authrim/dev`, generates keys, provisions current Cloudflare resources\nincluding D1, KV, Queues, and R2, writes generated Wrangler configuration, applies the current root\nmigration set, and keeps optional Admin UI / Login UI deployment settings aligned with the setup\nconfiguration.\n\n📚 **Full guides:** [Development](./docs/getting-started/development.md) | [Deployment](./docs/getting-started/deployment.md) | [Testing](./docs/getting-started/testing.md) | [Setup CLI](./packages/setup/README.md)\n\n## Performance\n\nK6 Cloud distributed load testing in December 2025 validated Authrim's current sharded Workers architecture under representative OIDC workloads.\n\nObserved benchmark results include:\n\n- Token-oriented endpoints: **2,500-3,500 RPS** within tested capacity limits\n- Full 5-step OAuth login flow: **150 logins/sec** with P95 around 756ms\n- CPU time: typically **1-4ms** in the tested scenarios\n\nCapacity depends on workload shape, Cloudflare plan limits, storage usage, and sharding configuration.\n\n[View detailed reports](./load-testing/reports/Dec2025/)\n\n## Approximate Cloudflare Cost (Reference Only)\n\n⚠️ The following table is a **rough reference only**.  \nActual costs depend on request volume, CPU time, and usage of KV / D1 / R2.\n\n| Product Scale                   | Users (Total) | Est. CF Cost | Notes                                |\n| ------------------------------- | ------------: | -----------: | ------------------------------------ |\n| Side project / Portfolio        |           ~1K |         Free | Workers Free tier (limited requests) |\n| Internal tool / Small community |          ~10K |       ~$5/mo | Paid plan base                       |\n| Startup SaaS / Small e-commerce |          ~50K |    ~$5–15/mo | Light API usage                      |\n| Growing B2B SaaS                |         ~100K |   ~$15–30/mo | Moderate auth traffic                |\n| Mid-size consumer app           |         ~500K |   ~$30–60/mo | KV/DO costs accumulate               |\n| Enterprise SaaS                 |           ~1M |  ~$60–120/mo | Cached / sharded                     |\n| High-traffic consumer service   |           ~5M | ~$150–300/mo | Heavy auth traffic                   |\n| Large-scale platform            |          ~10M | ~$300–600/mo | 150 login/sec tested                 |\n\n### Assumptions\n\n- Workers Paid plan ($5/month)\n- Optimized request patterns (caching, batching)\n- Typical authentication flows (OIDC, token refresh)\n- Excludes large R2 storage and excessive KV/D1 writes\n- Assumes ~20% DAU with weekly logins\n- Authrim scales primarily with **requests and CPU time**, not with user count\n\n### Verified by Load Testing (Dec 2025)\n\n| Metric                 | Value                 | Cost         |\n| ---------------------- | --------------------- | ------------ |\n| Workers Requests       | 18M/month             | $5.70 (7%)   |\n| KV Reads               | 78M/month             | $39.00 (44%) |\n| DO Requests + Duration | 64M/month             | $22.10 (25%) |\n| D1 Writes              | 6.8M rows             | $7.00 (8%)   |\n| Base fee               | —                     | $5.00 (6%)   |\n| **Total (excl. tax)**  | **≈ 5M users equiv.** | **$79.78**   |\n\n**Request-to-User conversion:**\n\n- 1 OIDC login ≈ 4 requests (authorize → token → userinfo → discovery)\n- 18M requests ≈ 4.5M logins/month\n- With 20% DAU and weekly login assumption → **~5M total users equivalent**\n\n\u003e Infrastructure cost only (self-hosted). No vendor fees. See [Cloudflare pricing](https://developers.cloudflare.com/workers/platform/pricing/) for details.\n\n---\n\n## Current Status\n\nAuthrim is currently pre-1.0. Core protocol and platform capabilities are implemented, but production hardening is still in progress.\n\n**Target release window:** Summer/Fall 2026\n\n| Area | Status |\n| ----- | ------ |\n| Core OIDC/OAuth implementation | Implemented |\n| FAPI profiles | Implemented; certification target |\n| CIBA | Implemented; certification target |\n| SAML 2.0 IdP/SP | Active; implementation substantially complete with local entity metadata, signing rollover, and Admin UI operations |\n| SCIM 2.0 | Implemented |\n| RBAC / ABAC / ReBAC policy engine | Implemented |\n| Identity Hub and external IdP integration | Implemented |\n| Passkey / email auth / local auth | Implemented; production flow hardening in progress |\n| JavaScript SDKs | Implemented |\n| Setup tooling | Implemented; production deployment docs in progress |\n| UI consolidation | Active; Admin/Login/setup flows are being polished against the current Workers deployment model |\n| Security, QA, and validation | Active |\n| Storage portability | Implementation baseline complete; validation active |\n| Multi-tenant isolation | Implementation baseline complete; validation active |\n| Operational logging and evidence | Implementation baseline complete; validation active |\n\n[View detailed roadmap](./docs/ROADMAP.md)\n\n---\n\n## Technical Stack\n\n### Backend (API)\n\n| Layer         | Technology                | Version  | Purpose                            |\n| ------------- | ------------------------- | -------- | ---------------------------------- |\n| **Runtime**   | Cloudflare Workers        | -        | Global edge deployment             |\n| **Framework** | Hono                      | 4.12.x   | Fast, lightweight web framework    |\n| **Language**  | TypeScript                | 5.9.x    | Type-safe development              |\n| **Build**     | Turbo + pnpm              | 2.7.x / 9.x | Monorepo, parallel builds, caching |\n| **Deployment** | Wrangler                 | 4.59.x   | Workers deployment and local runtime |\n| **Storage**   | KV / D1 / Durable Objects / Hyperdrive | - | Cloudflare-native persistence with external database paths where supported |\n| **Crypto**    | JOSE                      | 6.1.x    | JWT/JWS/JWE/JWK (RS256, ES256)     |\n| **WebAuthn**  | SimpleWebAuthn            | 13.2.x   | Passkey authentication             |\n| **SAML**      | xmldom + xml-crypto + pako | 0.8.x / 6.1.x / 2.1.x | SAML 2.0 XML processing, signatures, and bindings |\n| **Email**     | Cloudflare Email Sending  | -        | Workers `send_email` binding for transactional email |\n| **Email**     | Resend                    | 6.8.x    | Magic Link, OTP delivery           |\n| **Testing**   | Vitest + Playwright       | 4.0.x / 1.57.x | Unit, integration, and E2E tests |\n\n### Frontend (UI)\n\n| Layer          | Technology               | Version   | Purpose                        |\n| -------------- | ------------------------ | --------- | ------------------------------ |\n| **Framework**  | SvelteKit + Svelte       | 2.53.x / 5.53.x | Modern reactive framework |\n| **Deployment** | Cloudflare Workers static assets | - | UI Workers and global edge delivery |\n| **Build**      | Vite                     | 7.3.x     | UI build and dev server        |\n| **CSS**        | UnoCSS                   | 66.6.x    | Utility-first CSS              |\n| **Components** | Melt UI                  | 0.86.x    | Headless, accessible components |\n| **Icons**      | UnoCSS preset-icons + Iconify Heroicons / Phosphor | 66.6.x / 1.2.x | Utility icon classes and selectable Login UI provider icons |\n| **i18n**       | typesafe-i18n            | 5.26.x    | Type-safe internationalization |\n| **WebAuthn**   | SimpleWebAuthn Browser   | 13.2.x    | Client-side passkey support    |\n| **Testing**    | Vitest + Testing Library | 4.0.x / 5.2.x-next | Component tests                |\n\n## Features\n\n| Area | Implementation | Operational maturity | Notes |\n| --- | --- | --- | --- |\n| OpenID Provider | Complete | Ready | Certified OpenID Provider and Logout profiles |\n| OAuth/OIDC advanced profiles | Complete | In progress | PAR, DPoP, JAR, JARM, JWE, claims policy, token exchange |\n| FAPI profiles | Complete | In progress | FAPI 2.0 policy controls and certification profiles; formal certification is planned |\n| SAML 2.0 IdP/SP | Hardening active | In progress | Tenant-scoped IdP/SP endpoints, metadata import/export, configurable entityIDs, interactive login redirect policy, signing certificate subject/rollover, encryption options, SSO/SLO correlation, and DR planning |\n| SCIM 2.0 | Complete | In progress | User provisioning |\n| Authentication | Complete | In progress | Passkey, email code, social login, Direct Auth, device flow, CIBA |\n| CIBA | Complete | In progress | Backchannel authentication, approval, polling, and request storage paths |\n| Native SSO | Complete | In progress | `device_secret`, `ds_hash`, and DPoP-bound token exchange support |\n| Authorization | Complete | In progress | RBAC, ABAC, ReBAC, token embedding, real-time check API |\n| Identity Hub | Complete | In progress | External IdP integration, account linking, identity stitching |\n| VC/DID | Complete | Experimental | OpenID4VP, OpenID4VCI, did:web, did:key |\n| SDKs | Complete | In progress | Core, web, server, and SvelteKit packages |\n| Admin/Login UI | Basic complete | In progress | Admin UI includes SAML entity info, database connections, storage destinations, logging controls, and tenant discovery settings; Login UI supports configured provider logos/icons |\n| Runtime storage profiles | Basic complete | In progress | Runtime profiles, setup-managed D1/R2 inventory, tenant D1 assignment visibility, and Hyperdrive-backed user core, PII, custom/extension, and audit paths exist; control-plane storage remains D1/KV-biased |\n| Multi-tenancy isolation | Baseline complete | In progress | Tenant-scoped issuer routing, storage access, admin boundaries, job artifacts, and regression coverage are in place |\n| Logging and operational evidence | Basic complete | In progress | Structured runtime logs, admin/user audit logs, diagnostic detail, sensitive detail chunks, delivery events, DLQ replay, and storage-destination controls are implemented |\n\nSee [Feature Matrix](./docs/FEATURES.md) for a more detailed capability and SDK overview.\n\n---\n\n## Contributing\n\nAuthrim is open source under Apache 2.0, currently maintained by a single author.\n\n- 🐛 **Bug reports** — Welcome via [GitHub Issues](https://github.com/sgrastar/authrim/issues)\n- 💡 **Feature requests** — Welcome via [GitHub Discussions](https://github.com/sgrastar/authrim/discussions)\n- 🔧 **Pull requests** — Not accepted at this time (see [CONTRIBUTING.md](./CONTRIBUTING.md) for details)\n\n---\n\n## License\n\nApache License 2.0 © 2025 [Yuta Hoshina](https://github.com/sgrastar)\n\nSee [LICENSE](./LICENSE) for details.\n\n---\n\n\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fsgrastar%2Fauthrim.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fsgrastar%2Fauthrim?ref=badge_large)\n\n## Community\n\n- **GitHub**: [sgrastar/authrim](https://github.com/sgrastar/authrim)\n- **Issues**: [Report bugs](https://github.com/sgrastar/authrim/issues)\n- **Discussions**: [Feature requests](https://github.com/sgrastar/authrim/discussions)\n- **Email**: yuta@sgrastar.org\n\n---\n\n\u003e **Authrim** — _Identity \u0026 Access at the edge of everywhere_\n\u003e\n\u003e **Status:** Pre-1.0 | Target release window: Summer/Fall 2026 | Production hardening in progress\n\u003e\n\u003e _A self-hosted Identity \u0026 Access Platform for modern applications._\n\u003e\n\u003e ```bash\n\u003e npx @authrim/setup\n\u003e ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsgrastar%2Fauthrim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsgrastar%2Fauthrim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsgrastar%2Fauthrim/lists"}