About

Auth Fly

Open auth, owned by you.

Auth Fly is an open construction kit for authentication: a self-hosted SAML 2.0 + OIDC Identity Provider, a hosted UI on UI8Kit, and adaptive SDKs that fit any language or framework. PoC is live with Hanko as the credential backend; MVP runs on Supabase or your own Postgres through the SSO SPI.

The through-line is boring reliability: provider-agnostic core contracts, narrow adapters per credential backend, observability over storytelling, and documentation that matches production behaviour.

Security is not a feature — it is the spine of the project. Hardening is tracked publicly via a pre-flight checklist, with no telemetry and no third-party update channels in the critical path.

Auth Fly logo
Open source · MIT
Started in 2025

Working principles

Own your IdP

Self-hosted, no telemetry, no third-party update calls. The IdP runs on your origin and only on your origin.

Adaptive SDKs

One TypeScript core for the browser; thin adapters per provider and per language. New stacks ship as adapters, not rewrites.

Provider-agnostic core

Core contracts depend on no UI and no backend. Swap Hanko for Supabase or a custom Postgres without touching the IdP or the UI.

Security in the open

Hardening tracked publicly with a pre-flight checklist. Strong points and gaps are listed side by side.

Technical references

Specs & checklists

Practical references for teams running their own IdP — protocols, hosted UI, and a public security checklist.

Auth Fly

2025

Auth Fly IdP — README

SAML 2.0 + OIDC dual-protocol IdP: endpoints, configuration, environment overrides, and cross-protocol SSO behaviour.

Technical references

Auth Fly

2025

AuthKit & UI8Kit notes

Hosted UI on Go + templ: Renderer, ViewConfig, FlowConfig, embedded i18n, and the migration from Hanko Elements to UI8Kit.

Technical references

Auth Fly

2026

Pre-flight security checklist

Public hardening list grouped into four stages: critical fixes, protocol hardening, web security, and enterprise features.

Technical references

Roadmap timeline

2025 Q3

Architecture

core / authkit / authkit-hanko split, contracts before code

2025 Q4

PoC live

SAML 2.0 + OIDC sharing one signed IdP session, Hanko as credential backend

2025 Q4

UI migration

Hanko Elements replaced one-to-one by UI8Kit across hosted login UI

2026 Q1

Stage 1 hardening

Critical fixes: HTTP timeouts, JWT iss/aud/alg, session_key validation, key file mode 0600

2026 Q2

Stage 2 protocol hardening

PKCE, at_hash, OIDC iss check, SAML IssueInstant / Destination / anti-replay

2026 Q3

Stage 3 web security

Security headers, CSRF on admin, rate limiting, MaxBytesReader, graceful shutdown

2026 Q4

Stage 4 enterprise

Key rotation with multi-key JWKS, RSA-4096, SAML SLO, structured audit logs

Next

SSO SPI expansion

Supabase and custom Postgres backends behind the same CredentialVerifier contract

Next

Adaptive SDKs

AuthKit TS core plus thin SDKs for Go, Node, Python, PHP and .NET