Now with WebAuthn Passkey support →

The Identity Platform
Built for Developers

Multi-tenant OAuth2 / OIDC server with MFA, SAML federation, passkeys, and full SCIM provisioning. Self-host or deploy to cloud — you own the data.

❯ Start in 5 minutes Explore features

Quick Start — docker-compose.yml

# Start your CIAM stack in one command
docker compose up -d

# OIDC Discovery
https://dev.auth.platform.com/.well-known/openid-configuration

# Token & Authorization endpoints
https://dev.auth.platform.com/oauth2/token
https://dev.auth.platform.com/oauth2/authorize

# Per-tenant JWKS (auto-rotated RSA-2048)
https://{tenant}.auth.platform.com/oauth2/jwks

# Admin REST API
https://dev.auth.platform.com/admin/tenants

OAuth2 / OIDC compliant

Multi-tenant isolation

Per-tenant RSA key pairs

SAML 2.0 & Federation

Spring Boot 3 / Java 21

Core Features

Everything your app needs to authenticate users

From a simple login page to enterprise federation — CIAM Platform has it covered out of the box.

🔐

OAuth2 / OIDC

Full Spring Authorization Server. Authorization Code + PKCE, Client Credentials, Device Flow, Refresh Tokens, Introspection.

🏢

Multi-Tenancy

Subdomain or X-Tenant-ID header routing. Full data isolation with PostgreSQL Row-Level Security.

📱

Multi-Factor Auth

TOTP (RFC 6238), Email OTP, SMS OTP, and WebAuthn Passkeys. Per-tenant MFA policy enforcement.

🔗

SAML 2.0

Act as SAML IdP or SP. Integrate with Okta, Azure AD, and enterprise IdPs via metadata import.

🔑

Per-Tenant Signing Keys

Auto-generated RSA-2048 key pairs per tenant. Redis-cached with lazy rotation. Unique JWK Set per tenant.

🛡️

Rate Limiting & Risk

Valkey-backed brute-force protection (5 attempts / 15-min window, 30-min lockout) plus risk evaluation.

🏗️

Organizations & SCIM

Hierarchical organizations, memberships, and SCIM 2.0 user provisioning for enterprise directory sync.

📬

Notification Providers

Pluggable email and SMS providers. Send MFA codes, invitations, and password-reset links.

🎛️

Admin UI & REST API

Full-featured React admin dashboard. Every operation available via REST API for programmatic management.

View all features →

How It Works

Secure by design, from request to token

Tenant Resolution

Every request passes through TenantContextFilter. Tenant is resolved from subdomain, header, or default slug — giving each customer a fully isolated identity store.

Authentication

Credentials verified by CiamUserDetailsService using Argon2id. Rate-limiting checked atomically via Redis.

MFA Challenge

If tenant policy requires MFA, session is stashed and user completes a TOTP, passkey, SMS, or email challenge before the OAuth2 flow resumes.

Token Issuance

JWTs signed with the tenant's RSA key pair. Tokens carry tenant_id, org_id, roles, and permissions — ready to consume in any microservice.

∞

Tenants supported

MFA methods built-in

<1ms

JWKS key cache lookup

Java 21

Virtual-thread concurrency

Trusted by Developers

What teams are saying

"Setting up a multi-tenant OIDC provider used to take weeks. CIAM Platform had us live in a day — including MFA and per-tenant JWT signing."

Jordan Lee

Principal Engineer, FinTech Scale-up

"The rate-limiting and breached-password detection was a surprise. We didn't have to build any of that — it's just there, backed by Redis."

Priya Mehta

Staff Security Engineer, SaaS Platform

"Passkey support and SAML federation in the same open-source package? We evaluated four vendors before finding this."

Tom Kowalski

CTO, B2B Platform

The Identity PlatformBuilt for Developers

Everything your app needs to authenticate users

OAuth2 / OIDC

Multi-Tenancy

Multi-Factor Auth

SAML 2.0

Per-Tenant Signing Keys

Rate Limiting & Risk

Organizations & SCIM

Notification Providers

Admin UI & REST API

Secure by design, from request to token

Tenant Resolution

Authentication

MFA Challenge

Token Issuance

What teams are saying

Ship identity in minutes, not months

The Identity Platform
Built for Developers