Own your identity layer

Self-hosted authentication and fine-grained authorization—plus permission-aware AI your agents can't talk their way around.

Authorizer is one open-source binary you run on your own infrastructure. Every user, role, and permission stays in your database—never on someone else's dashboard.

Authorizer — open-source authentication on Product Hunt
  • Self-hosted & sovereign — your users live in your database, not someone else's dashboard
  • No per-seat auth tax — pay for infrastructure, not usage
  • Every way to sign in — social, email/password, magic link, MFA, OAuth2 & OIDC
  • Fine-grained authorization — RBAC + relationship-based access control (OpenFGA), built in
  • Permission-aware AI & MCP — agents and RAG only retrieve what the user is allowed to see
  • Built for your stack — GraphQL, REST & gRPC, with SDKs for Go, Python & JS
Deploy your instance

Try it now ☝️

Authorizer vs hosted identity platforms

Hosted identity platforms give you dashboards, enterprise SSO marketplaces, and batteries-included UI—in exchange for running your most sensitive infrastructure on someone else's servers and paying a per-seat auth tax as you grow. Authorizer is a different tradeoff: open source and self-hosted so authentication runs where you run your product—and user records stay in your database.

High-level comparison of Authorizer with typical hosted identity vendors
FactorAuthorizerHosted identity platforms
DeploymentSelf-hosted on your cloud or VPC; you operate the serviceHosted SaaS you don't run; identity lives on vendor infrastructure
Data & residencyUser directory lives in your database (SQL, NoSQL, graph)Typically vendor-managed user stores and dashboards
Pricing modelOpen source; pay for infra, not per-seat auth taxUsage/seat/connection-based pricing that scales against you
Enterprise SSO (SAML/OIDC IdPs)Core OAuth2/OIDC server; extend for your SSO needsMature multi-IdP SSO marketplaces and B2B org patterns
Drop-in UIBuilt-in login + headless APIs; React SDK availablePolished hosted components and universal login pages
Authorization modelRBAC plus relationship-based, fine-grained authorization (embedded OpenFGA/Zanzibar) in the same binaryOften RBAC by default; fine-grained authz as a separate paid add-on
AI / RAG access controlPermission-aware retrieval: list a user's allow-list and pre-filter the vector search, fully self-hostedUsually out of scope; you wire authorization into AI yourself
APIs & SDKsGraphQL, REST, and gRPC with SDKs for Go, Python, JS, and React (Vue, Svelte, Flutter coming soon)Mature REST/OIDC APIs and a broad SDK catalog
Best whenYou need ownership, compliance-friendly data location, or deep backend controlYou want zero ops and fastest time-to-market on hosted identity

A category-level comparison. Check the docs for feature details against your exact requirements.

Everything you need

The hardest part of app development, made simple

Use Authorizer off the shelf and ship a complete auth experience in minutes—so you can stay focused on your core product, not on building identity from scratch.

AuthenticationAuthorizationSecurityIntegrations
SECURE SESSION MANAGEMENT

Auth with best services baked in. Secure Session management implemented with HTTP only cookies. Authorization Code flow implemented for mobile based auth.

AUTH RECIPES

Multiple auth recipes supported out of the box: social login, email and password, magic link, and more.

CONNECT TO YOUR DATABASE

It supports 13+ databases including major SQL, NoSQL and GraphDBs

INTEGRATE OR IMPLEMENT

Built-in universal login page, plus APIs and SDKs so you can build custom UI in JavaScript, React, or any framework.

Role Based Access Control

Define the roles and authorize your APIs with role based session tokens

FINE-GRAINED AUTHORIZATION (FGA)

Relationship-based access control with an embedded OpenFGA (Google Zanzibar) engine—check_permissions and list_permissions, in-process, no extra service to run.

PERMISSION-AWARE AI & RAG

Build AI assistants and RAG pipelines that respect who can see what—pre-filter retrieval with the user’s own token so the model never reads what it shouldn’t.

GraphQL, REST & gRPC APIs

Integrate over three protocols on standard OAuth2 and OpenID Connect, with official SDKs for Go, Python, JavaScript, and React (Vue, Svelte, and Flutter coming soon).

BUILT-IN MCP SERVER

Expose read-only identity and permission tools to Claude Desktop, Claude Code, Cursor, and any MCP host—so AI agents can check access before they act. Stdio-only and safe by design.

DEPLOY ANYWHERE

Deploy authentication and authorization anywhere you need: Railway, Heroku, Render, Docker, Kubernetes, and more.

CUSTOMIZE EMAILS

Send emails with custom email templates and dynamic variables

LISTEN TO EVENTS

Configure webhooks for various events on the authorizer service and take perform necessary actions with event data

MULTI FACTOR AUTHENTICATION

Added layer of security with email based OTP for your basic authentication recipe

Fine-grained authorization · AI / RAG

Authorization your AI can't talk its way around

Authorizer ships an embedded OpenFGA engine—the open-source implementation of Google's Zanzibar relationship-based access control. The same server that logs your users in also answers “can this user view this document?” in-process, so you can build AI assistants and RAG pipelines that respect who is allowed to see what—fully self-hosted, on your own hardware.

Same question. Two people. Two answers.

Vector search has no concept of “need to know”—semantically close means retrieved. Authorizer puts the permission boundary inside the retrieval step, so the model can never leak what it was never shown.

👤 alice@acme (engineering)
❓ What was our Q4 revenue and cash runway?
💬 I don't have that information in the knowledge base.
👤 carol@acme (finance)
❓ What was our Q4 revenue and cash runway?
💬 Q4 revenue was $14.2M with a 26-month runway at current burn.

Alice isn't shown an “access denied.” The finance report simply never existed in her search results—it was never a candidate, never in the prompt.

Permissions are relationships, not roles

Grant access by writing facts, not code. Ask Authorizer for the user's allow-list, then hand it to your vector store as a filter.

// 1. Ask as the user — subject pinned from their JWT
list_permissions(relation: "can_view",
object_type: "document")
// alice → ["onboarding_guide", "tech_stack"]
// 2. Pre-filter the vector search — forbidden chunks
// are never scored
match(source ∈ allowed)

Same check_permissions / list_permissions helpers ship in the Go, JavaScript, and Python SDKs.

Filter before you retrieve

Authorizer answers “what may this user see?” with the user’s own token. That allow-list becomes a vector-search filter, so forbidden documents are never scored, never retrieved, never placed in the prompt.

Fail closed by default

Authorizer unreachable, token missing, or permission list truncated? The pipeline denies instead of leaking. An empty allow-list returns a refusal without ever calling the model.

Revoke in one call

Permissions live in relationship tuples, not in your vector index. Off-board a contractor with a single delete—their very next question is denied. No re-embedding, no re-indexing, no re-login.

Prompt-injection safe

The agent calls Authorizer with the end user’s JWT and the subject is pinned server-side. A hijacked agent holds no privileged credential—it asks as the user, and gets the user’s answer.

Built-in MCP server

Authorizer ships a built-in Model Context Protocol (MCP) server, so an AI assistant can ask “is this user allowed to see this?” as a tool—before it retrieves or summarizes anything. It exposes a curated, read-only subset (profile, check_permissions, list_permissions)—no token minting, no account mutation. It's stdio-only and can't be exposed over the network, and the model never escalates beyond the bearer token's subject.

Works with
  • Claude Desktop
  • Claude Code
  • Cursor
  • Any MCP-compatible host
Read the permission-aware RAG walkthroughSee the FGA guide →MCP server docs →

Three protocols. SDKs for every stack.

Authorizer speaks GraphQL, REST, and gRPC over standard OAuth2 and OpenID Connect—so it drops into the stack you already run, from a React frontend to a Go microservice to a Python AI agent.

GraphQL

A GraphQL-first API for auth, user management, RBAC, and fine-grained authorization—typed, introspectable, and one round trip per screen.

REST

Standard OAuth2 and OpenID Connect REST endpoints—authorize, token, userinfo, JWKS—so any client or language integrates with the flows it already knows.

gRPC

A high-performance gRPC API for service-to-service auth and low-latency backends—strongly typed contracts from the same protobuf definitions.

Official SDKs & framework libraries

Drop authentication, sessions, and fine-grained authorization into your app in minutes.

  • Go
  • Python
  • JavaScript
  • TypeScript
  • React
  • VueComing soon
  • SvelteComing soon
  • FlutterComing soon

Permission helpers (check_permissions and list_permissions) ship in the Go, JavaScript, and Python SDKs.

Explore the API docs

Bring your own database

Your users live where your app already lives—13+ SQL, NoSQL, and graph databases supported out of the box.

  • MongoDB
  • Cassandra
  • PostgreSQL
  • ArangoDB
  • MySQL
  • SQLite
  • SQL Server
  • YugaByte
  • MariaDB
  • PlanetScale
  • Scylla
  • AWS DynamoDB
  • Couchbase
Request new Database Support

Where Authorizer wins

Authorizer’s strongest position in the market is as a self-hosted alternative to hosted identity platforms (and for teams who outgrow “just use hosted auth”). It’s a practical choice when ownership, cost predictability, and database flexibility matter more than outsourced operations.

Self-hosted auth for teams that need control

If you have data residency requirements, a private network, or you simply prefer to operate critical security infrastructure yourself, Authorizer gives you a full authentication and authorization layer without handing your user directory to a third party.

Bring your database (seriously)

Authorizer supports a broad set of SQL, NoSQL, and graph databases. That means your users live where your app already lives—simpler compliance stories, fewer data silos, and easier integration with internal tooling.

Standards first, UI optional

OAuth2 and OpenID Connect make integration predictable across stacks. Use the built-in login, go headless, or embed UI with the React SDK—whatever matches your product and threat model.

v2 direction (based on the roadmap)

The v2 roadmap is focused on the enterprise foundations buyers expect from hosted identity platforms—without giving up self-hosting.

  • Security hardening
    Rate limiting and brute-force protections, CAPTCHA/bot protection, and safer operational defaults.
  • Auditability & observability
    Structured audit logs and Prometheus metrics for production monitoring and compliance workflows.
  • B2B + automation
    Machine-to-machine auth (client credentials), API keys, fine-grained permissions, and directory sync (SCIM) on the v2 roadmap.

Roadmap items are plans and may change; check the product repository for current status.

Loved by developers

Join our community on Discord. You can also share your experience here and help us build more trust.

First time I found Authorizer at Product Hunt I fall in love with this. Then I realize this is a perfect fit solution for me. So, I want to say thank you for building an amazing product. Especially as you made it Open Source.

- Aris Ripandi

Authorizer simplifies the implementation of a login system and is fast and light on resources. The React.js library also vastly simplifies the implementation of state management in a project. The author, Lakhan Samani, is also extremely helpful and easy to work with. Overall, Authorizer saves numerous hours of headaches and provides a great experience for developers.

- Rattley

I have been working on an edutainment product for the past few months. The authentication, authorization flow was one of the tasks that I had to take care of. I used the Authorizer for the same and it did not take me much time, from integration with the product to setting it up on the cloud. It was a great experience as a developer to be able to use an open-source solution to a fairly complex problem with such ease. Thanks to the authorizer team.

- Nitesh Agarwal

Authorization/Authentication has been always big pain but I found Authorizer is the simplest and fastest way of building auth service for our app. I also was able to partially adopt our own customized authentication flow with Authorizer because they provide flexible enough libs and APIs. I would not be able to fine other product that can handle this easily. Truly, all in one solution ever.

- Peter Choi

Get started in 3 simple steps

Authentication and authorization have never been this simple before!

  • 1

    Get Authorizer instance

    Deploy production ready Authorizer instance using one click deployment options available below

    Read more
  • 2

    Setup instance

    Open authorizer instance endpoint in browser. Sign up as an admin with a secure password. Configure environment variables from dashboard

    Read more
  • 3

    Integrate with your application

    Load the @authorizerdev/authorizer-js library and initialize the authorizer object. Authorizer object can be instantiated with JSON object with following keys in its constructor.

    Read more

Deploy your instance now

Deploy to RailwayDeploy to HerokuDeploy to Render

Frequently asked questions

Quick answers about self-hosting your authentication and authorization.

What is Authorizer?
Authorizer is an open-source authentication and authorization server you deploy on your own infrastructure. It supports OAuth2 and OpenID Connect, social logins, magic links, email/password, multi-factor authentication, webhooks, and role-based access control—while storing users in a database you control.
How is Authorizer different from hosted authentication platforms?
Hosted authentication platforms run identity on their servers and bill per seat or connection as you scale. Authorizer is self-hosted and open source: you run the service, choose your own database backend, and keep every user record in your own storage. It's the better fit when data residency, customization, cost predictability, and ownership matter more than outsourced operations.
Which databases does Authorizer support?
Authorizer supports 13+ databases across SQL, NoSQL, and graph, including PostgreSQL, MySQL, MariaDB, SQLite, SQL Server, MongoDB, Cassandra, ScyllaDB, ArangoDB, YugabyteDB, PlanetScale, AWS DynamoDB, and Couchbase. Your users live in the database your application already uses.
Does Authorizer support fine-grained authorization (FGA)?
Yes. Authorizer ships with an embedded OpenFGA engine—the open-source implementation of Google's Zanzibar relationship-based access control (ReBAC)—in the same Go binary that handles login. You model permissions as relationships between users, teams, and resources, then call check_permissions and list_permissions to enforce them. This goes beyond role-based access control (RBAC) to answer document-, object-, and record-level questions like "can this user view this file?" with no extra service to deploy.
Can Authorizer secure AI assistants and RAG applications?
Yes. Because Authorizer combines authentication with an embedded fine-grained authorization engine, you can build permission-aware RAG: fetch the current user's allow-list with their own token, then pre-filter your vector search so the model only ever retrieves documents that user is allowed to see. Forbidden chunks are never scored or placed in the prompt, the pipeline fails closed if authorization is unavailable, and revoking access takes effect on the user's next question—no re-indexing. Everything runs self-hosted on your own hardware.
Does Authorizer have an MCP (Model Context Protocol) server?
Yes. Authorizer ships a built-in MCP server that lets AI hosts like Claude Desktop, Claude Code, Cursor, or any MCP-compatible client call a curated, read-only subset of Authorizer's API as tools—profile, check_permissions, and list_permissions. This lets an agent ask "is this user allowed to see this?" before it retrieves or summarizes content. The server is stdio-only (it cannot be exposed over the network), credential-issuing and destructive operations are never exposed, and identity is pinned to the bearer token's subject, so a model can never escalate beyond it.
What APIs and SDKs does Authorizer provide?
Authorizer exposes GraphQL, REST, and gRPC APIs over standard OAuth2 and OpenID Connect flows. Official SDKs are available for Go, Python, JavaScript/TypeScript, and React, with Vue, Svelte, and Flutter coming soon. The fine-grained authorization helpers (check_permissions and list_permissions) ship in the Go, JavaScript, and Python SDKs.
Can I use Authorizer in production?
Yes. Authorizer is built for production with secure session handling over HTTP-only cookies, one-click deployment templates for Railway, Heroku, and Render, plus Docker and Kubernetes support, and SDKs for integration via standard OAuth2 and OpenID Connect flows.
Is Authorizer free?
Authorizer is free and open source. There is no per-seat or per-user auth tax—you only pay for the infrastructure you run it on. You can self-host it on your own cloud, VPC, or a one-click platform deployment.