VoidAuth is an open-source Single Sign-On (SSO) platform designed for self-hosted environments, enabling administrators to unify authentication across multiple applications using OpenID Connect (OIDC) and reverse proxy ForwardAuth. It eliminates the need to manage separate logins for each service by acting as a central identity provider that integrates with tools like Caddy, Traefik, and Nginx.
Built with TypeScript and Docker-first architecture, VoidAuth uses PostgreSQL or SQLite for secure, encrypted-at-rest storage and provides a web-based admin panel for user and group management. It supports modern authentication methods like passkeys and email-based self-registration, making it ideal for tech-savvy individuals and small teams running home labs or private cloud infrastructure.
What You Get
- OpenID Connect (OIDC) Provider - Implements full OIDC 1.0 specification to act as an identity provider for any OIDC-compatible application like Nextcloud, Grafana, or Home Assistant.
- Proxy ForwardAuth Integration - Supports reverse proxy authentication via HTTP headers (e.g., Caddy, Traefik, Nginx) to protect web apps without modifying their code.
- Passkey and Biometric Authentication - Enables passwordless login using WebAuthn passkeys (FIDO2) and allows enforcing passkey-only accounts for enhanced security.
- User and Group Management - Admins can create, invite, and manage users and groups with role-based access control through a visual admin dashboard.
- Email-Based Self-Registration and Invitations - Users can register themselves or be invited via email with verification, reducing admin overhead for onboarding.
- Customizable Login Portal - Change logo, title, theme colors, and email templates to match your brand or home lab aesthetic without code changes.
- Secure Password Reset with Email Verification - Built-in password recovery flow with encrypted token validation and email delivery via SMTP configuration.
- Encryption-at-Rest with Postgres/SQLite - All user data, including credentials, is encrypted in the database using environment-variable-driven keys.
Common Use Cases
- Securing a home lab with multiple apps - A tech enthusiast uses VoidAuth to protect Nextcloud, Grafana, and Portainer with a single login, eliminating password fatigue across services.
- Running a private media server with SSO - A family uses VoidAuth to grant controlled access to Jellyfin and Radarr via passkeys, avoiding shared passwords and simplifying access for non-technical users.
- Managing a small team’s self-hosted tools - A startup deploys VoidAuth with OIDC to authenticate developers accessing internal tools like GitLab and Mattermost without managing individual credentials.
- Replacing cloud SSO for privacy-focused users - A privacy-conscious user replaces Google or Microsoft SSO with VoidAuth to retain full control over authentication data and avoid third-party tracking.
Under The Hood
Architecture
- Monolithic server architecture combining API routing and static asset delivery in Express.js, blurring backend-frontend boundaries
- Direct instantiation of services (OIDC, database, email) within route handlers, lacking dependency injection or inversion of control
- Angular frontend components tightly coupled to hardcoded backend endpoints, with no abstraction layer for API communication
- Minimal shared code between frontend and backend beyond type definitions, resulting in duplicated validation logic
- Runtime configuration via Docker and .env files without centralized validation or schema enforcement
- Build process bundles server and frontend into a single deployable unit, obscuring component boundaries and hindering modular scaling
Tech Stack
- Node.js 24 with Express 5 and TypeScript 5.9 using ES modules and strict ESM configuration
- Angular 21 frontend with Material Design components, built via esbuild in a monorepo-style structure
- PostgreSQL 18 with Knex.js for migrations and type-safe queries, plus optional SQLite support
- OIDC Provider and SimpleWebAuthn for robust OAuth2/OpenID Connect and passwordless WebAuthn authentication
- Docker multi-stage builds with custom base image and volume-mounted configuration and database persistence
- Comprehensive tooling including Husky, lint-staged, ESLint, Prettier, and TSX for development workflow automation
Code Quality
- Extensive test suite using Jasmine and Angular-specific utilities, leveraging TypeScript’s type safety for robust validation
- Clear module-based organization with parallel test files, enhancing maintainability and test discoverability
- Strong type safety enforced through strict TypeScript configuration and comprehensive type annotations
- Consistent naming conventions aligned with Angular standards, improving code readability and team alignment
- Limited error handling sophistication, relying on generic try-catch blocks without custom error classes or structured logging
- Automated linting and build tooling properly configured, ensuring consistent code quality standards
What Makes It Unique
- Real-time human-readable duration display for time-based password resets, eliminating external dependencies for time formatting
- Dynamic OIDC configuration display in admin UI, enabling self-service identity provider oversight
- Unified table component architecture that auto-adapts icons and actions based on entity state, reducing boilerplate
- Embedded clipboard integration with tooltip-triggered copy functionality, enhancing UX without external libraries
- Centralized configuration and permission-aware UI rendering that dynamically adapts admin views based on runtime roles and settings
- Shared API response types via @shared/api-response, enabling type-safe end-to-end communication without duplication