Authsome your apps
Composable authentication engine with 14 plugins, session management, RBAC, SSO, passkeys, and MFA — multi-tenant, store-abstracted, and Forge-native.
go get github.com/xraph/authsomeEverything you need for authentication
Authsome handles the hard parts — identity, sessions, MFA, social login, RBAC, and multi-tenancy — so you can focus on your application.
Plugin Architecture
14 built-in plugins — password, magic link, social OAuth, SSO, passkeys, MFA, phone, API keys, and more. Each plugin registers strategies, migrations, and hooks automatically.
engine, _ := authsome.NewEngine( authsome.WithStore(postgres.New(pool)), authsome.WithPlugins( password.New(), magiclink.New(mailer), social.New(social.Google(cfg)), mfa.New(mfa.WithTOTP()), passkey.New(rpID, rpOrigins), ),)Session & Token Management
Opaque tokens or JWTs with OIDC claims. Configurable expiry, refresh rotation, max sessions per user, device binding, and JWKS endpoint.
session, _ := engine.SignIn(ctx, authsome.SignInInput{ Strategy: "password", Email: "user@example.com", Password: "secure-pass", })// session.AccessToken (JWT or opaque)// session.RefreshToken (rotation enabled)// session.ExpiresAtMulti-Tenant Isolation
Every user, session, and org is scoped to an App via context. Cross-tenant queries are structurally impossible. Per-app configuration overrides.
ctx = authsome.WithAppID(ctx, appID) // All operations automatically scopeduser, _ := engine.SignUp(ctx, input)// user.AppID == appID (guaranteed) // Per-app config overridesengine.SetAppConfig(ctx, appID, config)Pluggable Store Backends
Start with in-memory for testing, swap to PostgreSQL, SQLite, or MongoDB for production. Every subsystem is a Go interface — bring your own backend.
// PostgreSQL (production)engine, _ := authsome.NewEngine( authsome.WithStore(postgres.New(pool)),)// SQLite, MongoDB, or Memory// authsome.WithStore(sqlite.New(db))// authsome.WithStore(mongodb.New(client))// authsome.WithStore(memory.New())Organizations & Teams
Multi-org support with team hierarchy, invitation system, and per-org SSO. Users belong to multiple orgs with different roles.
org, _ := engine.CreateOrganization(ctx, authsome.CreateOrgInput{ Name: "Acme Corp", Slug: "acme", }) engine.InviteMember(ctx, org.ID, authsome.InviteInput{ Email: "dev@acme.com", Role: "admin", })Webhooks & Events
31+ typed webhook events for every auth action — sign-in, MFA, org changes, session revokes. Relay bridge for real-time streaming.
engine, _ := authsome.NewEngine( authsome.WithWebhooks(relay.Bridge( relay.WithURL("https://api.example.com/hooks"), relay.WithEvents( "user.signed_in", "user.signed_up", "mfa.verified", "session.revoked", ), )),)Device Management
Fingerprint devices, track trusted devices per user, and challenge unknown devices. Integrates with risk engine for anomaly detection.
engine, _ := authsome.NewEngine( authsome.WithDeviceVerification( device.New( device.WithTrustDuration(30*24*time.Hour), device.WithChallenge(device.EmailChallenge), ), ),)React & Next.js UI Components
40+ pre-built, styled authentication components — sign-in forms, MFA challenges, session management, org switchers, and more. Headless primitives for full control. Server-side session with Next.js middleware.
import { AuthProvider } from "@authsome/ui-react"import { SignInForm, MFAChallenge } from "@authsome/ui-components" function App() { return ( <AuthProvider apiUrl="/api/auth"> <SignInForm strategies={[�0, �1, �2]} onSuccess={() �2 router.push(�0)} /> </AuthProvider> )}Every way to authenticate, built in
From passwords to passkeys, social login to enterprise SSO — Authsome ships strategies for every authentication pattern your app will ever need.
Password
Traditional email + password with bcrypt hashing, configurable complexity, and secure reset flows.
Magic Link
Passwordless email links with configurable TTL. One click to authenticate — no password to remember.
Social OAuth
20+ providers — Google, GitHub, Apple, Microsoft, Facebook, Discord, Slack, and more. PKCE support.
SSO (SAML & OIDC)
Enterprise single sign-on with per-organization identity provider configuration.
Passkeys / WebAuthn
FIDO2 credential registration and biometric authentication. Built-in credential store.
MFA (TOTP & SMS)
Authenticator apps, SMS codes, and recovery codes. Enrollable per-user with challenge verification.
Phone / SMS
Phone number verification and SMS-based authentication with configurable providers.
API Keys
Machine-to-machine authentication with SHA-256 hashing, prefix-based lookup, and scoped permissions.
OAuth2 Provider
Act as an OAuth2 authorization server. Authorization Code + PKCE, Client Credentials, token revocation.
Defense in depth, built in
Enterprise-grade security with intelligent risk assessment. Every auth action is monitored, scored, and auditable.
1engine, _ := authsome.NewEngine(2 authsome.WithPlugins(3 riskengine.New(),4 anomaly.New(),5 geofence.New(geofence.Config{6 AllowedCountries: []string{"US", "CA", "GB"},7 }),8 impossibletravel.New(),9 ipreputation.New(maxmindDB),10 vpndetect.New(),11 ),12 authsome.WithLockout(authsome.LockoutConfig{13 MaxAttempts: 5,14 Window: 15 * time.Minute,15 }),16 authsome.WithRateLimit(limiter),17)Risk Engine
Unified risk scoring across all auth events with configurable thresholds.
Anomaly Detection
ML-powered detection of suspicious login patterns and behavioral anomalies.
Geofencing
Enforce geographic boundaries. Block or challenge logins from unauthorized regions.
Impossible Travel
Detect physically impossible login sequences across geographic locations.
IP Reputation
Real-time IP risk scoring with MaxMind integration and blocklist support.
Account Lockout
Configurable failure thresholds with automatic lockout and admin unlock.
From request to session, fully instrumented
Every authentication flow passes through your configured plugins, emits events, and creates auditable sessions.
14 Auth Strategies
Password, magic link, social OAuth, SSO, passkeys, MFA, phone, API keys, and more — composable and extensible.
Session Security
JWT or opaque tokens, refresh rotation, device binding, max sessions, and automatic expiry management.
31 Webhook Events
Every auth action emits events — user.created, session.started, mfa.challenged, org.invited, and 27 more.
Teams, roles, and permissions
Built-in organization management with hierarchical RBAC. Invite members, assign roles, and enforce permissions at every level.
1// Create organization2org, _ := engine.CreateOrganization(ctx,3 authsome.CreateOrgInput{4 Name: "Acme Corp",5 Slug: "acme",6 })7 8// Invite member with role9engine.InviteOrgMember(ctx, authsome.InviteInput{10 OrgID: org.ID,11 Email: "jane@acme.com",12 Role: "admin",13})14 15// Assign RBAC permissions16engine.AssignRole(ctx, authsome.RoleAssignment{17 UserID: userID,18 Role: "editor",19 Permissions: []authsome.Permission{20 {Action: "write", Resource: "documents"},21 {Action: "read", Resource: "analytics"},22 },23})Organizations
User-created workspaces with metadata, branding, and slug-based URLs.
Team Management
Sub-teams within organizations. Invite, remove, and manage members.
Role Hierarchy
Parent roles, custom permissions, and organization-scoped role assignments.
Invitation System
Token-based invitations with TTL expiration, accept/decline tracking.
Backend + Frontend. Fully integrated.
Set up your Go auth server and connect it to your React or Next.js frontend in minutes. Authsome handles both sides.
1package main2 3import (4 "log/slog"5 "net/http"6 7 "github.com/xraph/authsome"8 "github.com/xraph/authsome/plugin/password"9 "github.com/xraph/authsome/plugin/social"10 "github.com/xraph/authsome/plugin/mfa"11 "github.com/xraph/authsome/store/postgres"12)13 14func main() {15 engine, _ := authsome.NewEngine(16 authsome.WithStore(postgres.New(pool)),17 authsome.WithPlugins(18 password.New(),19 social.New(social.Google(cfg)),20 mfa.New(mfa.WithTOTP()),21 ),22 authsome.WithLogger(slog.Default()),23 )24 25 mux := http.NewServeMux()26 engine.RegisterRoutes(mux)27 http.ListenAndServe(":8080", mux)28}1import { AuthProvider, useAuth } from "@authsome/ui-react"2import {3 SignInForm,4 UserButton,5 OrgSwitcher,6} from "@authsome/ui-components"7 8function App() {9 return (10 <AuthProvider apiUrl="/api/auth">11 <Layout />12 </AuthProvider>13 )14}15 16function Layout() {17 const { user, isLoaded } = useAuth()18 19 if (!isLoaded) return <Loading />20 21 return user ? (22 <Dashboard>23 <OrgSwitcher />24 <UserButton />25 </Dashboard>26 ) : (27 <SignInForm28 strategies={[�0, �1, �2]}29 onSuccess={() �2 router.push(�0)}30 />31 )32}Every platform, one API
Official SDKs for Go, TypeScript, and Flutter. Type-safe clients with full feature coverage across server, web, and mobile.
1engine, _ := authsome.NewEngine(2 authsome.WithStore(postgres.New(pool)),3 authsome.WithPlugins(4 password.New(),5 social.New(social.Google(cfg)),6 ),7)8 9// Sign in10session, _ := engine.SignIn(ctx, authsome.SignInInput{11 Strategy: "password",12 Email: "user@example.com",13 Password: "secret",14})15 16// Verify session17user, _ := engine.VerifySession(ctx, session.AccessToken)Type-Safe
Full TypeScript types and Go interfaces. Catch auth errors at compile time.
Isomorphic
Works in Node.js, browsers, React Native, and Flutter. Same API everywhere.
Documented
Comprehensive docs, code examples, and Storybook playground for UI components.
Beautiful, ready-to-use auth components
40+ pre-built React components for authentication flows. Fully styled, accessible, and customizable. Also available as headless primitives.
Sign In Form
Multi-strategy authentication with social providers
MFA Challenge
TOTP, SMS OTP, and recovery code verification
Session Manager
View and revoke active sessions across devices
Org Switcher
Multi-org support with role-based access
Passkey Manager
Register, view, and revoke WebAuthn passkeys
API Key Manager
Create, rotate, and revoke API keys with scopes
Built for production at scale
SSO, SCIM provisioning, audit trails, GDPR compliance, and a full admin dashboard — everything enterprises need.
SSO (SAML & OIDC)
Per-organization identity provider configuration with SAML 2.0 and OpenID Connect support.
SCIM Provisioning
System for Cross-domain Identity Management. Sync users and groups from your identity provider.
31+ Webhook Events
Every auth action emits typed events — user.created, session.started, mfa.challenged, and 28 more.
GDPR & Compliance
Built-in data export, consent tracking, account deletion, and audit trails for regulatory compliance.
Device Management
Fingerprinting, trusted device recognition, max devices per user, and device-session binding.
Admin Dashboard
Full management UI — users, sessions, organizations, API keys, security events, and SSO configuration.
Manage everything from one place
A full admin dashboard ships with Authsome — users, sessions, organizations, SSO, SCIM, billing, and more. Free and open source, powered by Forge.
Authentication Overview
Monitor your authentication system
User Management
View, search, and manage users. Reset passwords, revoke sessions, and manage MFA per user.
Real-Time Analytics
Monitor sign-in activity, failed attempts, device fingerprints, and anomaly scores in real time.
SSO & SCIM Setup
Configure SAML and OIDC identity providers per organization. Auto-provision users via SCIM.
Billing & Plans
Manage subscription plans, invoices, and feature flags for multi-tenant SaaS applications.
Start authenticating with Authsome
Add production-grade authentication to your Go service in minutes. Authsome handles identity, sessions, MFA, social login, RBAC, and multi-tenancy out of the box.
go get github.com/xraph/authsome