Self-hosted identity that boots in minutes, not afternoons.

Idenplane is an AGPL-licensed identity server for teams that don't want a SaaS bill, a JVM, or vendor lock-in. Standards-compliant OAuth 2.0, OIDC, and SAML 2.0, with first-class SDKs for TypeScript, React, Next.js, iOS, and Android.

Try Live Demo Quickstart Star on GitHub

Live demo — log in with one click, no signup. Resets hourly.

GitHub starsContributorsLatest releaseLicenseLast commit
terminal
$ |
SDKs for
R
N
V
A
iOS
And
TS
Built with
N
R
P
TS
D
Pr
Re
K8
OAuth 2.0 OpenID Connect 1.0 SAML 2.0 PKCE (RFC 7636) TOTP (RFC 6238) WebAuthn / FIDO2 Device Auth (RFC 8628)
Features

What you get out of the box

Everything you need to authenticate users and protect APIs — built on standards your auditors already know.

Authentication & Security

OAuth 2.0 + OpenID Connect

Authorization Code with PKCE, Client Credentials, Device Authorization (RFC 8628), Refresh Token grants. OIDC Core 1.0 with discovery, backchannel logout, and session management.

Read the docs

SAML 2.0 (IdP and SP)

Act as Identity Provider or Service Provider. Issue and validate SAML assertions, broker external IdPs, exchange metadata, sign assertions — full enterprise SSO.

Read the docs

MFA, Passwordless and Step-Up

TOTP authenticators, FIDO2/WebAuthn for hardware keys and biometrics, recovery codes, brute-force protection, and progressive ACR step-up for sensitive operations.

Read the docs
Identity

Multi-Tenant Realms and Organizations

Isolated realms with independent users, clients, signing keys, themes, and configurations. Org-level B2B teams, member invitations, and hierarchical roles for SaaS multi-tenancy.

Read the docs

Federation and Social Login

Broker external OIDC and SAML identity providers — Google, GitHub, Microsoft, Apple, or any compliant IdP. LDAP/Active Directory sync, on-demand or scheduled imports.

Read the docs

Risk-Based Authentication Beta

Score login attempts on signals like IP reputation, device posture, geo-velocity, and time-of-day. Trigger step-up MFA or block on threshold. APIs to plug in your own scoring.

Read the docs
Developer Platform

Admin Console

React 19 dashboard for realms, users, clients, roles, groups, sessions, and events. Per-realm theming, real-time updates, and full CRUD on every resource the API exposes.

Read the docs

SDKs and CLI

First-party SDKs for TypeScript, React, Next.js, Vue, Angular, iOS (Swift), and Android (Kotlin). Five lines to authenticate. A CLI for realm provisioning and CI workflows.

Read the docs
SDKs

10 SDKs for every platform

First-class SDKs for web, mobile, and server. OAuth 2.0 + PKCE, automatic token refresh, and platform-native features like biometrics. Install and authenticate in 5 lines.

TypeScript · idenplane-sdk

Zero-dependency core + React hooks at idenplane-sdk/react

Next.js · idenplane-nextjs

Middleware, Server Components, API routes

Vue · idenplane-vue

Composables, plugin, router guard

Angular · idenplane-angular

IdenplaneModule, AuthService, AuthGuard, AuthInterceptor

iOS · Idenplane (Swift Package Manager)

Keychain storage, Face ID / Touch ID

Android · idenplane-android (Gradle)

EncryptedPrefs, BiometricPrompt

Go · github.com/idenplane/idenplane/packages/idenplane-go

Server-side OIDC discovery cache and admin user API

Python · idenplane (PyPI)

Server-side OIDC discovery cache and admin user API

CLI · idenplane-cli

Manage realms, users, clients, and roles from the terminal

Java · io.idenplane:idenplane-java Preview

Preview · 1.0.0-SNAPSHOT · Spring Boot, Jakarta, Reactive

npm install idenplane-sdk View all SDK docs 
import { IdenplaneClient } from 'idenplane-sdk';

const idenplane = new IdenplaneClient({
  url: 'https://auth.example.com',
  realm: 'my-realm',
  clientId: 'my-app',
  redirectUri: 'http://localhost:5173/callback',
  refreshStrategy: 'rotation',
});

await idenplane.init();
if (!idenplane.isAuthenticated()) {
  await idenplane.login();
}

const user = idenplane.getUserInfo();
console.log(user.name, user.email);
Architecture

One compact data-flow

Requests flow top-to-bottom — client to protocol to engine to identity to data. Every layer is replaceable, every layer is observable.

  1. Client Apps

    Your SPAs, servers, mobile apps and CLIs

    ReactNext.jsVue / AngulariOS / AndroidCLI / M2M

  2. Protocol Layer

    Standards-compliant endpoints

    OAuth 2.0 + PKCEOpenID Connect 1.0SAML 2.0Device AuthorizationJWKS / Discovery

  3. Auth Engine

    Login flows, MFA and session management

    Login FlowsMFA / WebAuthnStep-Up AuthRisk ScoringSSO Sessions + 3 more

  4. Identity Core

    Resources, policies and federation

    UsersRealmsRoles & GroupsOrganizationsFederation / LDAP + 4 more

  5. Data & Infrastructure

    Persistent storage, cache and email

    PostgreSQL 16MySQL 8+RedisLDAP / ADSMTP

Observability (Prometheus metrics, audit events, structured Pino logs) attaches at every layer. Read the architecture guide

Comparison

Idenplane vs. the rest

Honest comparison. Sources and dates linked below — open a PR if anything is outdated.

Snapshot as of . See notes below the table.

Suggest a correction
Feature comparison between Idenplane, Keycloak, Auth0, Clerk, and SuperTokens as of 2026-05
Feature
Idenplane
Keycloak
Auth0
Clerk
SuperTokens
Deployment
Self-hosted (on your infra) 1 N/A N/A
Hosted / managed option
Open source
Docker one-liner 1 N/A N/A
Kubernetes / Helm 1 N/A N/A
Horizontal scaling
Protocols
OAuth 2.0 + PKCE ~ 3
OpenID Connect 1.0 ~ 3
SAML 2.0 ~ 2
Device authorization
Step-up authentication ~ ~
MFA & Passwordless
TOTP (authenticator app)
WebAuthn / FIDO2
Recovery codes
Brute-force protection
Identity
Multi-tenant realms
B2B organizations ~ ~
RBAC (roles & groups)
LDAP / Active Directory
Social & enterprise IdP
Custom attributes ~
Developer Experience
Modern admin console
REST API
Web SDKs (React / Vue / Angular) ~
Mobile SDKs (iOS / Android) ~
CLI tool
Webhooks ~
Plugin / extension system ~
Operations
Prometheus metrics
Health-check endpoints
Rate limiting ~
Audit logging
Realm / tenant theming ~
Implementation language TypeScript Java N/A (SaaS) N/A (SaaS) TypeScript
Idle memory baseline 4 ~150 MB JVM-bound N/A N/A ~200 MB
Local-dev setup time 4 ~30 sec ~5 min ~2 min ~2 min ~5 min
Official SDK count 10 2 10+ 5+ 4
Pricing model AGPL-licensed Apache 2.0 Freemium $$$ Freemium $$ Apache 2.0 + paid add-ons
Full support
Partial / paid tier
Not applicable (SaaS)
Not available
  1. Auth0 and Clerk are managed SaaS — self-hosting is not an option, not an absence. Marked N/A in deployment rows.
  2. Clerk SAML SSO and enterprise SSO connections require the Enterprise plan (clerk.com/pricing).
  3. SuperTokens implements OAuth 2.0 / OIDC for select flows; coverage is more limited than Keycloak or Auth0 (supertokens.com).
  4. Memory figures are idle baselines from internal smoke tests with a single realm and default config — not load-test results. Workload dictates real-world usage.
Getting Started

Local dev in 30 seconds

Three commands to a working identity server. Production checklist included — don't ship the local config.

Bring up Postgres, Redis, and Idenplane

Drop the compose file into your project and start the stack. The image is pinned to v1.0.0 — bump it in your own infra on your own schedule.

yaml · compose.yaml
compose.yaml 
# compose.yaml
services:
  postgres:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: idenplane
      POSTGRES_PASSWORD: change-me-in-production
      POSTGRES_DB: idenplane
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U idenplane"]
      interval: 5s
      retries: 5

  redis:
    image: redis:7-alpine
    volumes:
      - redisdata:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 5s
      retries: 5

  idenplane:
    image: islamawad/idenplane:v1.0.0   # pin a version tag in prod
    depends_on:
      postgres: { condition: service_healthy }
      redis:    { condition: service_healthy }
    environment:
      DATABASE_URL: postgresql://idenplane:change-me-in-production@postgres:5432/idenplane
      REDIS_URL:    redis://redis:6379
      JWT_SECRET:   replace-with-a-long-random-string
    ports:
      - "3000:3000"

volumes:
  pgdata:
  redisdata:
$ docker compose up -d

Create a realm and a client

Hit the admin API or open the Admin Console at http://localhost:3000/admin. The example below uses a bootstrap admin token printed on first start.

bash · terminal
terminal 
curl -X POST http://localhost:3000/admin/realms \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"my-app","displayName":"My App"}'

Wire the SDK into your app

Install the SDK for your framework and point it at your realm. Five lines is enough for the auth code + PKCE flow.

bash · terminal
terminal 
npm install idenplane-sdk

Production checklist

You are running locally. Before you ship, walk through this list. The docs link below has the full version with example configs and rollout patterns.

  • TLS / HTTPS

    Terminate TLS at a reverse proxy (Caddy, Traefik, Nginx) or your platform's load balancer. Idenplane sets HSTS and secure cookies when it sees an HTTPS request.

  • Secrets

    Replace every change-me value: DATABASE_URL credentials, JWT_SECRET (32+ random bytes), and admin bootstrap password. Pull from your secret manager, not the compose file.

  • Backups

    Schedule pg_dump or your platform's managed Postgres backups. Test restores monthly. Redis is cache-only — losing it is fine, losing Postgres is not.

  • Observability

    Scrape /metrics for Prometheus, ship structured JSON logs from stdout to your log aggregator, and add /healthz to your liveness probe.

Idenplane is running at http://localhost:3000

Need more depth? Read the full deployment guide →

Admin Console

Powerful Admin Dashboard

Full-featured React 19 admin console for managing realms, users, clients, roles, groups, sessions, identity providers, and audit logs — all in real time.

Preview
localhost:3000/console
Idenplane Idenplane Console production
A

Dashboard

Realm:
Total Users
2,847 +12%
Active Sessions
384 +5%
OAuth Clients
18
Login Events (24h)
4,291 -2%
Recent Users View all
AJ
Alice Johnson
[email protected]
MFA Admin
BS
Bob Smith
[email protected]
MFA User
CD
Carol Davis
[email protected]
Manager
DW
Dave Wilson
[email protected]
MFA User
Login Events Audit log
LOGIN_SUCCESS
[email protected]
192.168.1.42
2m ago
LOGIN_SUCCESS
[email protected]
10.0.0.15
5m ago
LOGIN_FAILURE
[email protected]
203.0.113.5
12m ago
TOKEN_REFRESH
[email protected]
172.16.0.8
15m ago
Open Source

Built in the open.
Owned by you.

No vendor lock-in. No surprise pricing. Fork it, extend it, self-host it. Your identity infrastructure, your rules.

GitHub starsContributorsLatest releaseDocker Hub pullsLicense

Sponsor Idenplane on GitHub

Recurring sponsorship funds maintenance, security fixes, and new SDKs.

Become a sponsor

How to contribute

Report issues

Found a bug? Open an issue on GitHub with reproduction steps.

Report a bug →

Submit PRs

Fix bugs, add features, or improve docs. Pull requests are welcome.

Contributing guide →

Spread the word

Star the repo, share on social, write about your experience with it.

Star on GitHub →

For developers

Read the source, run the tests, integrate the SDK.

Star on GitHub
idenplane/idenplane
Install the SDK
npm i idenplane-sdk

For teams

Deploy to your infrastructure and manage identity across all your applications.

Deploy with Docker
One command to production
Read the docs
Full API reference & guides
FAQ

Things you'll actually ask

The short, honest answers.

Why not just use Keycloak?

Keycloak is the right answer if you have a JVM team and want every IAM feature ever shipped. Idenplane targets a different point on the curve — a TypeScript codebase, a smaller memory footprint, modern SDKs, and a build/deploy story that fits a Node-shop CI. If you already run Java in production and need every Keycloak feature, stay on Keycloak. If you want a TypeScript stack with the protocols that actually matter, try Idenplane.

Is Idenplane production-ready?

Idenplane is at v1.0.0 with the OAuth 2.0, OIDC, SAML 2.0, MFA, WebAuthn, federation, and admin surface area you need to run authentication. It has not been third-party penetration-tested or independently audited. Use the comparison table to map what you need against what is in the box, run our suggested deployment, and decide for your own risk tolerance. "Production-ready" is a property of your deployment, not just the software.

Who maintains it?

Idenplane is maintained by a small open-source team led by the original author. The repository lives at github.com/idenplane/idenplane — issues, pull requests, and discussions are all public. There is no commercial entity behind it today, and no plans to relicense.

How are CVEs and vulnerabilities handled?

Report privately via [email protected] or by opening a GitHub Security Advisory at github.com/idenplane/idenplane/security/advisories/new. We aim to acknowledge within 72 hours, fix within 90 days, and coordinate disclosure with you. Fixes ship as patch releases; advisories are published on the GitHub Security tab once a fix is available. See our security.txt for the canonical contacts.

What's the upgrade story?

Idenplane follows semver. Patch (1.0.x) and minor (1.x.0) releases are backward-compatible and ship with the same image tag scheme. Database migrations run automatically on container start. Major releases (e.g. 2.0.0) document breaking changes in CHANGELOG.md and ship a migration guide. Pin a version tag in production and read the changelog before bumping.

Have a question that isn't here? Open a discussion on GitHub →