Self-hosted identity engine

Identity infrastructure you actually own

AuthForge is the enterprise identity and access engine that runs entirely on your infrastructure. Argon2id hashing, Ed25519-signed sessions, zero data egress, and sub-millisecond verification at the edge. Replace Auth0 and Clerk — without the per-user tax or the black box.

Configure for your site Sign in

Your users never touch our servers — because there are none.

<1ms

Edge token validation

Bytes of data egress

∞

Users, orgs & tenants

100%

Self-hosted & auditable

Get started

Configure AuthForge for any website

No per-user fees. No black box. Three paths — pick the one that fits you.

Website owner

Open the setup wizard, type your domain, copy the settings to Ratel or your host, add one sign-in link to your site.

Setup wizard

Deploy on Ratel

Push to GitHub, connect Ratel, attach a domain. Login UI, API, and docs ship on one port — live demo at /login.html.

Open Ratel

Developer

Embed sdk/authforge.js, verify JWTs locally via JWKS, or call the REST and gRPC APIs directly.

SDK reference

The platform

Built for teams that can't outsource trust

Four architectural decisions that separate AuthForge from hosted identity providers.

Zero-latency edge verification

A lightweight WebAssembly sidecar synchronizes with the core over an open WebSocket and evaluates session tokens locally — in under a millisecond, with no outbound roundtrip. Authorization decisions happen where your code runs.

Infrastructure-first pricing

No tiers metered on monthly active users or organizations. The entire platform is one optimized binary or Docker container on your own bare metal or VPS. Scale to millions of identities for the cost of the box they run on.

Deep multi-tenancy, natively

Nested B2B hierarchies — User to Organization to Department to Team — modeled at the database core, not bolted on. Granular RBAC roles and permission scopes travel inside every signed session.

Headless developer experience

State machines, auth bindings, and local evaluation exposed as primitives. Drop in unstyled, copy-pasteable Tailwind templates — no rigid iframes, no vendor chrome, full control of your UI.

Security model

Defense in depth, every layer audited

Modern cryptography by default. No legacy ciphers, no shortcuts, no black boxes — every primitive is open and inspectable.

Argon2id password hashing

Memory-hard hashing tuned to the OWASP profile, with an optional server-held pepper for keyed hashing. A database leak alone is not brute-forceable.

Ed25519 signed sessions

EdDSA-signed JWTs carry jti, nbf, issuer and audience. Keys rotate cleanly; every published key stays in the JWKS until its tokens expire.

Zero data egress

Identities, credentials and sessions never leave your perimeter. There is no vendor cloud in the path — data sovereignty is the default, not an add-on.

Constant-time & zeroized

Refresh tokens are 256-bit CSPRNG secrets, stored only as digests and compared in constant time. Pepper and private-key bytes are wiped from memory on drop.

Brute-force resistance

Per-identity lockout gates the login path before the expensive hash runs, and identical responses for unknown users and bad passwords defeat enumeration.

Open & auditable

A compact Rust core you can read line by line, hardened by an in-CI supply-chain gate (cargo-deny) for advisories, licenses, and dependency provenance.

Architecture

A hybrid core engineered for latency

A Rust cryptographic core for the heavy math, an Elixir mesh for real-time fan-out, and an edge sidecar that validates locally.

Edge

Client SDK & WASM sidecar

Headless React hooks; tokens validated locally in <1ms against the published JWKS.

secure websockets / TLS 1.3

Mesh

Real-time layer — Elixir / Phoenix

Phoenix Channels and Broadway drive session replication and out-of-band webhooks.

gRPC over Unix domain socket

Core

Cryptographic core — Rust

Argon2id, Ed25519 signing, WebAuthn handshakes on Axum + Tonic.

tightly constrained schemas

Store

PostgreSQL + Redis

Postgres for the permanent registry; Redis for presence, lockouts, and revocation lists.

Pricing

Infrastructure-first, never per-user

Self-host the core for free, forever. Paid tiers add support, assurance, and enterprise controls — never a tax on your growth.

Community

$0USD / month

Self-host, forever free

Get started free

Self-hosted core engine
Unlimited users & organizations
Argon2id + Ed25519 cryptography
gRPC + JWKS APIs
Community support

Startup

$4939USD / month

For growing teams

Start free trial

Everything in Community, plus:

Priority email support
Guided upgrades & migrations
Social & SSO connectors
Webhook event delivery

Business

Popular

$199159USD / month

Scale with confidence

Upgrade to Business

Everything in Startup, plus:

24/7 support with SLA
SAML / SCIM & advanced RBAC
Audit logs & SIEM export
Dedicated onboarding
Compliance evidence pack

Enterprise

From

Custom

Maximum assurance

Contact sales

Everything in Business, plus:

Dedicated solutions architect
Custom SLA & signed DPA
Air-gapped on-prem option
SOC 2 / HIPAA support
Security review & pen-test support

Monthly Annual Save 20%

Need air-gapped deployment, a signed DPA, or a custom SLA?

Talk to our enterprise team

Developer experience

Production-grade in three commands

Pull the container, mount a key volume, and you have a signing authority publishing a standard JWKS. Verify anywhere with off-the-shelf libraries — AuthForge speaks open standards, not a proprietary protocol.

Standards-compliant JWKS at /api/v1/jwks.json
Distroless image — no shell, runs as non-root
Graceful shutdown, health and readiness probes
Drop-in React provider and useAuth() hook

deploy.sh

# Run the self-hosted identity core
docker run -p 8080:8080 -p 50051:50051 \
  -v authforge-keys:/app/keys \
  -e AUTHFORGE_PASSWORD_PEPPER="$(openssl rand -base64 32)" \
  authforge:latest

# Edges fetch the public signing keys — no secrets leave the box
curl https://auth.authforge.dev/api/v1/jwks.json
› { "keys": [{ "kty": "OKP", "crv": "Ed25519", ... }] }

app.tsx

import { AuthForgeProvider, useAuth } from '@authforge/react';

export function App() {
  return (
    <AuthForgeProvider authority="https://auth.authforge.dev">
      <Dashboard />
    </AuthForgeProvider>
  );
}

The honest comparison

Own your stack, end the Auth Tax

Hosted identity is convenient until the invoice scales with your success and your users' data lives somewhere you don't control.

Capability	AuthForge	Auth0	Clerk
Pricing model	Flat infrastructure cost	Per monthly active user	Per monthly active user
Data residency	Your servers, always	Vendor cloud	Vendor cloud
Token validation	<1ms, local at the edge	Network roundtrip	Network roundtrip
Source available & auditable	Yes	No	No
Self-hosted, single binary	Yes	No	No
Nested B2B multi-tenancy	Native	Limited	Add-on
Vendor lock-in	None — open standards	High	High

Compliance & governance

Architected to meet your obligations

Self-hosting collapses your compliance scope: when identity data never leaves your environment, you control residency, retention, and access end-to-end. AuthForge is built to support the controls these frameworks require.

SOC 2 ready

Confidentiality & integrity controls

HIPAA aligned

PHI stays inside your boundary

GDPR sovereignty

Residency & erasure on your terms

ISO 27001 mapped

Cryptography & access controls

Own your identity stack.

Deploy AuthForge on your own infrastructure today. No per-user pricing. No data leaving your perimeter. No black box.

Configure AuthForge Read the documentation