{"id":48320821,"url":"https://github.com/snehasaisneha/gatekeeper","last_synced_at":"2026-04-05T00:39:46.163Z","repository":{"id":334875603,"uuid":"1143087101","full_name":"snehasaisneha/gatekeeper","owner":"snehasaisneha","description":"Lightweight, self-hosted auth gateway for internal tools. Email OTP, Google/Github SSO, Passkeys. Multi-app SSO via nginx auth_request.","archived":false,"fork":false,"pushed_at":"2026-03-26T10:03:25.000Z","size":942,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-27T03:33:14.131Z","etag":null,"topics":["agpl-3-0","authentication-service","fastapi"],"latest_commit_sha":null,"homepage":"https://gatekeeper-gk.readthedocs.io/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snehasaisneha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-01-27T06:50:12.000Z","updated_at":"2026-03-26T10:03:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/snehasaisneha/gatekeeper","commit_stats":null,"previous_names":["snehasaisneha/staticauth","snehasaisneha/gatekeeper"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/snehasaisneha/gatekeeper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snehasaisneha%2Fgatekeeper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snehasaisneha%2Fgatekeeper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snehasaisneha%2Fgatekeeper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snehasaisneha%2Fgatekeeper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snehasaisneha","download_url":"https://codeload.github.com/snehasaisneha/gatekeeper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snehasaisneha%2Fgatekeeper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31420527,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T00:25:07.052Z","status":"ssl_error","status_checked_at":"2026-04-05T00:25:05.923Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agpl-3-0","authentication-service","fastapi"],"created_at":"2026-04-05T00:39:46.009Z","updated_at":"2026-04-05T00:39:46.092Z","avatar_url":"https://github.com/snehasaisneha.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Gatekeeper\n\nSelf-hosted auth gateway for internal tools. Email OTP, passkeys, Google, GitHub, multi-app SSO, and an admin/security surface for approvals, app access, bans, and audit review.\n\n© 2025 Sai Sneha · [AGPL-3.0-or-later](LICENSE)\n\nGatekeeper is free to use, modify, and self-host, in perpetuity. Source sharing is only required if you offer a modified version of Gatekeeper as a public service.\n\n## Why Gatekeeper?\n\nYou have internal tools — docs, dashboards, Jupyter notebooks, admin panels. You need auth, but:\n\n- **Auth0/Okta** = $23+/user/month, your data on their servers\n- **Keycloak** = 512MB+ RAM, days of setup, enterprise complexity\n- **Cloudflare Access** = traffic through their network, vendor lock-in\n- **Basic auth** = unhashed passwords, no audit trail, security theater\n\nGatekeeper sits behind an auth hostname such as `auth.example.com` and protects sibling subdomains through nginx `auth_request`.\n\n## Features\n\n- **Google SSO + GitHub SSO + Email OTP + Passkeys** — Multiple auth methods, no passwords\n- **Zero-friction onboarding** — Users from approved domains sign in directly, no registration\n- **Multi-app SSO** — One login for all your internal tools (`*.company.com`)\n- **Role-based access** — Control who accesses what, with optional role hints\n- **Admin panel** — Approve users, manage domains and apps\n- **Security controls** — IP and email bans, audit logs, rate limits, public-docs disablement\n- **CLI tools** — `gk users`, `gk apps`, `gk domains`, `gk ops` for headless management\n- **SQLite or PostgreSQL** — Zero-config default, scales when needed\n- **SES or SMTP** — Bring your own email provider\n\n## Quick Start\n\n```bash\n# Clone and configure\ngit clone \u003crepo\u003e \u0026\u0026 cd gatekeeper\nuv sync\ncp .env.example .env\n\n# Initialize\nuv run all-migrations\nuv run gk users add --email admin@example.com --admin --seeded\n\n# Run locally\nnpm -C frontend run build\nuv run gk ops serve --host 127.0.0.1 --port 8000\n```\n\nFrontend dev mode: `cd frontend \u0026\u0026 npm install \u0026\u0026 npm run dev`\n\nIn production, keep `PUBLIC_API_DOCS=false`, set `TRUSTED_PROXY_IPS` to only your proxy tiers, and put `X-Robots-Tag: noindex, nofollow, noarchive` on the public auth and internal app hostnames.\n\n## Protecting Apps\n\n1. Register an app in Gatekeeper:\n\n   ```bash\n   uv run gk apps add --slug docs --name \"Documentation\"\n   uv run gk apps grant --slug docs --email user@example.com\n   ```\n\n2. Configure nginx to validate requests:\n   ```nginx\n   location / {\n       auth_request /_gatekeeper/validate;\n       proxy_set_header X-Auth-User $auth_user;\n       proxy_pass http://your-app:3000;\n   }\n   ```\n\nSee [`deployment/`](deployment/), [`deployment/README.md`](deployment/README.md), and the Sphinx guides under [`docs/source/guides`](docs/source/guides) for the current nginx and rollout flow.\n\n## CLI\n\n```bash\n# User management\nuv run gk users add --email user@example.com\nuv run gk users list\nuv run gk users approve --email user@example.com\n\n# Domain management (auto-approve users from these domains)\nuv run gk domains add --domain company.com\nuv run gk domains list\n\n# App management\nuv run gk apps add --slug grafana --name \"Grafana\"\nuv run gk apps grant --slug grafana --email user@example.com --role admin\nuv run gk apps list\n\n# Operations\nuv run gk ops test-email --to you@example.com\nuv run gk ops healthcheck\n```\n\n## Configuration\n\nKey environment variables (see `.env.example` for all):\n\n| Variable              | Description                                         |\n| --------------------- | --------------------------------------------------- |\n| `SECRET_KEY`          | Signing key (min 32 chars)                          |\n| `DATABASE_URL`        | `sqlite+aiosqlite:///./gatekeeper.db` or PostgreSQL |\n| `ACCEPTED_DOMAINS`    | Seed approved internal domains on startup           |\n| `EMAIL_PROVIDER`      | `ses` or `smtp`                                     |\n| `COOKIE_DOMAIN`       | `.example.com` for multi-app SSO                    |\n| `OTP_SEND_LIMIT_PER_EMAIL_IP` | Per email+IP OTP send throttle                |\n| `OTP_VERIFY_FAIL_LIMIT_PER_EMAIL_IP` | Per email+IP OTP verify throttle      |\n| `AUTO_IP_BAN_FAILURE_THRESHOLD` | Failures from one IP before auto-ban         |\n| `AUTO_IP_BAN_DURATION_HOURS` | Duration for automatic temporary IP bans         |\n| `PUBLIC_API_DOCS`     | Leave `false` in production                         |\n| `TRUSTED_PROXY_IPS`   | Proxy IPs/CIDRs allowed to set forwarded IP headers |\n| `GOOGLE_CLIENT_ID`    | Google OAuth client ID (optional)                   |\n| `GOOGLE_CLIENT_SECRET`| Google OAuth client secret (optional)               |\n| `GITHUB_CLIENT_ID`    | GitHub OAuth client ID (optional)                   |\n| `GITHUB_CLIENT_SECRET`| GitHub OAuth client secret (optional)               |\n| `WEBAUTHN_RP_ID`      | Domain for passkey registration                     |\n\n## Production Deployment\n\n```bash\n# On your server\nuv run all-migrations\nuv run gk users add --email admin@example.com --admin --seeded\n\n# Systemd\nsudo cp deployment/systemd/gatekeeper.service /etc/systemd/system/\nsudo systemctl enable --now gatekeeper\n\n# Nginx\nsudo cp deployment/nginx/gatekeeper-server.conf /etc/nginx/sites-available/gatekeeper\nsudo certbot --nginx -d auth.example.com\n```\n\nSee [`deployment/README.md`](deployment/README.md) for the full deployment guide and [`docs/source/guides/rollouts.md`](docs/source/guides/rollouts.md) for the rollout checklist.\n\n## Who This Is For\n\n**Good fit:**\n\n- Small to medium teams (5–100 users)\n- 3–10 internal tools needing protection\n- Self-hosted requirement (data residency, compliance)\n- Teams using Google Workspace or GitHub (one-click SSO)\n\n**Not a fit:**\n\n- Enterprise scale (1000+ users, complex RBAC hierarchies)\n- Multi-tenant SaaS (customer-facing auth)\n- Need for SAML/OIDC provider integration beyond Google/GitHub\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnehasaisneha%2Fgatekeeper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnehasaisneha%2Fgatekeeper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnehasaisneha%2Fgatekeeper/lists"}