Authgear is an open-source alternative to Auth0, Clerk, and Firebase Auth that provides a complete, self-hostable identity and access management (IAM) platform. It’s built for developers building SaaS applications, mobile apps, or microservices who need secure, scalable authentication without vendor lock-in. Authgear solves the complexity of implementing modern authentication — from passkeys and biometrics to SAML SSO and RBAC — with pre-built UIs, APIs, and admin tools.
Built in Go, Authgear offers a modular architecture with a core server, Admin API (GraphQL), AuthUI (customizable login/registration pages), and a web-based Portal for configuration. It supports deployment via Helm on Kubernetes, Docker, or as a cloud SaaS. The platform integrates with OAuth2, OIDC, SAML, and supports webhooks and TypeScript hooks for extensibility.
What You Get
- Passkeys (FIDO2) - Support for passwordless login using biometric hardware keys and password managers compliant with FIDO2 standards, eliminating password vulnerabilities.
- Multi-Factor Authentication (MFA) - Built-in TOTP (Google Authenticator, Authy), SMS, and Email OTP for adaptive security layers without custom code.
- Admin API (GraphQL) - Full programmatic control over users, sessions, roles, and policies via a powerful GraphQL interface for automation and integration.
- AuthUI (Pre-built Authentication Pages) - Customizable, responsive login, signup, and account settings pages with dark/light mode support and i18n localization.
- SSO via SAML and OAuth2 - Out-of-the-box integration with enterprise identity providers like ADFS, LDAP, Google, Apple, Facebook, and LinkedIn.
- User Management Portal - Web-based GUI for managing users, revoking sessions, viewing audit logs, monitoring login attempts, and configuring MFA policies.
- Webhooks and TypeScript Hooks - Trigger custom logic on events like user signup or login using webhooks or server-side TypeScript functions.
- Role-Based Access Control (RBAC) - Define granular user roles and permissions to control access across applications and microservices.
- I18n and Custom Email/SMS Templates - Translate authentication flows and customize email/SMS content for global user bases with dynamic variables.
- Brute Force Protection & Rate Limits - Automatic bot detection, login attempt throttling, and suspicious activity monitoring for enterprise security compliance.
Common Use Cases
- Running a SaaS platform with multi-tenant authentication - A B2B SaaS company uses Authgear to provide separate, branded login experiences for each client organization via SAML SSO and custom RBAC rules.
- Building a mobile app with biometric login - A fintech startup integrates Authgear’s iOS and Android SDKs to enable Face ID and Touch ID authentication, reducing drop-offs during onboarding.
- Securing a microservices architecture - An e-commerce company deploys Authgear as a centralized identity service to issue JWT tokens across 15+ microservices, enforcing consistent auth and reducing credential sprawl.
- Complying with enterprise security policies - A healthcare provider self-hosts Authgear to meet HIPAA requirements, using audit logs, MFA, and SAML SSO to control access to patient portals.
Under The Hood
Architecture
- Modular monolith structure with clear boundaries between entrypoints, domain services, and internal logic, enabling maintainable scalability
- Dependency injection via Wire ensures clean service composition across authentication, user management, and identity provider modules
- Event-driven design decouples core authentication logic from UI and polling mechanisms using message queues and pub/sub patterns
- Layered API design enforces contract-first development with GraphQL and REST endpoints abstracted behind resolvers and API packages
- Strict import linters prevent circular dependencies, preserving module integrity across auth, portal, and resolver domains
- Observability is deeply embedded with OpenTelemetry tracing, metrics, and logging pipelines automatically injected via middleware
Tech Stack
- Go 1.18+ backend with modular architecture and comprehensive static analysis tooling
- PostgreSQL with connection pooling and TLS for secure, scalable data persistence
- Redis configured for session state and caching with persistent storage and optional encryption
- Full OpenTelemetry stack for distributed tracing, metrics, and log aggregation with Tempo, Prometheus, and Loki
- Docker-based orchestration with nginx, MinIO, and Makefile-driven pipelines for consistent build and test environments
Code Quality
- Extensive test suite using YAML-based E2E scenarios and unit tests to validate complex authentication flows with precise state assertions
- Clear separation of test concerns—configuration, input, and expected outcomes—enabling readable and maintainable test definitions
- Robust error handling with structured, HTTP-status-aligned responses across all authentication pathways
- Strong type safety and configuration validation through schema-driven tests and typed event handlers
- Consistent naming and declarative test structures that mirror the domain model, improving onboarding and readability
- Comprehensive linting and test automation integrated into CI/CD to enforce quality across diverse authentication scenarios
What Makes It Unique
- Native GraphQL admin APIs with auto-generated TypeScript types eliminate manual boilerplate and ensure UI-type safety
- Dynamic auth flow orchestration via WebSocket controllers enables real-time state transitions without page reloads
- Internationalization is deeply embedded in the component layer with context-aware rendering, avoiding external i18n dependencies
- Role-based access control is implemented through federated query hooks that dynamically resolve permissions from backend roles
- UI component library uses CSS custom properties and layer-based theming for seamless dark/light mode adaptation
- Onboarding flows feature domain-abstraction of external libraries into accessible, validation-rich form components