Identity module

One identity layer for every provider.

Federate Microsoft, Google and other generic OAuth2 with PKCE behind one configurable auth service. JWT signing with managed RSA keys, scoped and revocable API tokens, and JWK publishing for OIDC compliance.

Try eru-auth → See features
Federate any of: Microsoft Google OAuth2
CLAIMS Microsoft Google OAuth2 Eru RSA JWK EXP PKCE JWT alg: RS256 HEADER PAYLOAD SIG ISSUED
Why eru-auth

Many providers. One contract.

eru-auth provides a unified authentication and identity platform for modern applications and enterprise systems. Support enterprise SSO with Microsoft, social logins such as Google, generic OAuth2 providers, and secure API token flows for service-to-service communication — all through a single configurable service.

Built with enterprise-grade security in mind, eru-auth includes PKCE support, JWT signing, managed RSA key rotation, JWK publishing, and a backed identity store. It enables teams to centralize authentication, standardize token management, and simplify identity integration across web, mobile, internal, and third-party systems without building separate authentication infrastructure for every application.

4+
identity providers
RSA
managed JWT keys
PKCE
by default
2
store backends
Core features

Identity, production-ready

4+

Multiple identity providers

Microsoft, Google, generic OAuth2, and Eru's internal DB auth — all behind one API.

PKCE protected OAuth2

Code-verifier / code-challenge exchange — safe for native apps and SPAs by default.

JWT with managed RSA

Generate, rotate and publish RSA key pairs (2048 / 4096) automatically. JWK endpoint included.

Scoped API tokens

Per-project, per-tenant tokens with hash-only storage and immediate revocation.

Custom trait mapping

Map provider claims to your user model with per-provider trait configuration.

Multi-tenant by design

Per-project credentials, per-tenant isolation, per-environment configs — no shared state.

OAuth automation

Auto-register OAuth2 clients with scopes, redirect URIs and grant types from your config.

🗄

Identity store

Pick your identity store backend (Postgres or MySQL) — the API stays identical across either database.

JWK publishing

OIDC-friendly key discovery so any client can verify your tokens against published keys.

Architecture

A login flow, end to end

A user request hits the auth router, federates to the chosen provider, then flows through the RSA-backed JWT signer and token store — emitting a scoped, revocable token.

User + PKCE verifier Auth router trait map Provider federated RSA / JWT sign · rotate Token store hash-only Scoped token Microsoft Google Eru OAuth2PKCE
Providers & backends

Federate any combination

Microsoft Google Generic OAuth2 Eru internal auth PostgreSQL store MySQL store PKCE JWK publishing OIDC
Configure, don't code

A provider in JSON

No SDK lock-in. Federate providers, map traits or rotate keys by editing config.

eru-auth/google.json
// Google OAuth provider — federated through eru-auth
{
  "auth_type": "OAUTH",
  "auth_name": "google",
  "token_header_key": "token",
  "key_id": "google-prod-2024",
  "oauth_config": {
    "client_id": "$SECRET_google_client_id",
    "client_secret": "$SECRET_google_client_secret",
    "redirect_uri": "$VAR_google_redirect_url",
    "sso_base_url": "https://accounts.google.com/o/oauth2/v2/auth",
    "token_url": "https://oauth2.googleapis.com/token",
    "token_key": "access_token",
    "token_url_content_type": "application/x-www-form-urlencoded",
    "redirect_key": "redirect_uri",
    "jwk_url": "https://www.googleapis.com/oauth2/v3/certs",
    "scope": "openid profile email"
  }
}
Explore the platform

Pair eru-auth with the rest

eru-ai
Agentic AI
eru-ql
Query data
eru-functions
Run workflows
eru-files
Storage
eru-gateway
Ingress