[Developer Platform]

Become your own identity provider.

A built-in OAuth 2.1 / OpenID Connect server. White-label login, per-application social providers, ES256-signed JWTs, strict realm isolation.

Read the docs Try Cloud

[01 · Why it matters]

Stop renting your login screen from Auth0.

Every product with users needs authentication — sign-up, login, password reset, social auth, token refresh, consent screens. Most teams reach for Auth0, Okta, or Clerk. The bill grows with your user count and you've locked your identity layer to a vendor.

Appstrate ships a full OIDC authorization server as a built-in module. Your applications become identity providers: their end-users authenticate through you, not through a third party. PKCE, consent flows, ES256-signed JWTs, per-application SMTP and social (Google/GitHub) branding, automatic audience isolation so user_42 in app A can never be confused with user_42 in app B.

OAuth 2.1

spec-compliant

ES256

JWT signing

PKCE

enforced by default

per-app

social + SMTP branding

[02 · How it works]

Enable the module. Register a client. Redirect.

The oidc module owns its tables: jwks, oauth_client, oauth_access_token, oauth_refresh_token, oauth_consent, end-user profiles. Your mobile app, partner integration, or satellite service hits your Appstrate instance as if it were Auth0. Realm isolation ensures tokens from app A cannot authenticate into app B.

In practice

Every piece of Appstrate is a declared, versioned artifact — the agent, its tools, its skills, its provider connections. You describe them once; the platform handles packaging, dependencies, isolation, and execution.

Each section below goes deeper on what that means for become your own identity provider.

View the full example in the docs →

[03 · Deep dive]

What makes it work.

🔑

OAuth 2.1 / OIDC

Authorization code + PKCE, refresh tokens, consent, JWKS endpoint, discovery document.

🎨

Per-application branding

Each app has its own SMTP, Google/GitHub credentials, consent copy. White-label ready.

🔒

Realm isolation

Tokens carry the application as audience. A token for app A cannot authenticate into app B, ever.

✍️

ES256-signed JWTs

Elliptic-curve signing, rotating JWKS, verifiable by any OIDC-compatible client.

[04 · Related]

Works great with

Applications →

The tenant primitive OIDC scopes to.

Modules →

OIDC is shipped as a module — enable or ignore.

RBAC →

Permissions for your authenticated users.

Stop paying for auth. Ship your own.

OIDC, branded per application, realm-isolated, self-hosted. Cancel the Auth0 invoice.

Read the docs Try Cloud