Developer‑centric authentication stack for teams that want to own their identity layer instead of renting it from hosted vendors. This collection brings together Keycloak, Casbin, Lucia, Better Auth, and Passport.js to give you a self‑hosted, full‑control authentication and authorization stack for modern Node.js and TypeScript apps.
Use it to implement secure logins, session management, SSO, OAuth 2.0 / OpenID Connect, MFA, and fine‑grained RBAC directly in your codebase without locking yourself into Auth0, Clerk, or any other hosted auth platform. Ideal for indie and small SaaS teams who care about open‑source IAM, predictable costs, and keeping every auth decision inside their own repo and infrastructure.
Keycloak -> Open-source identity and access management server for running logins, SSO, OAuth 2.0 / OpenID Connect, and user federation on your own infrastructure.
Casbin -> Open-source authorization library that gives you fine‑grained, policy‑based access control (RBAC/ABAC) inside your own code and database.
Lucia -> Simple and flexible TypeScript-first auth library that lets you build custom login, session, and adapter logic for modern Node.js apps without a hosted auth service.
Better Auth -> Comprehensive authentication framework for TypeScript that helps you own your entire auth layer from credentials to sessions and MFA inside your monorepo.
Passport.js -> Battle‑tested authentication middleware for Node.js with dozens of strategies for email/password, OAuth, and social logins, ideal as a lightweight building block in custom auth stacks.
FAQs
Who is this auth stack for?
Indie and small SaaS teams building modern Node.js and TypeScript apps who want to own their identity layer instead of renting hosted auth.
When should I choose a self-hosted auth stack over Auth0 or Clerk?
This stack makes sense once you care about predictable costs, strict data residency, and custom auth flows that are hard or expensive to model in hosted platforms.
What can I build with these tools?
You can implement secure logins, session management, SSO, OAuth 2.0 / OpenID Connect, MFA, and fine‑grained RBAC, with every auth decision executed inside your own codebase and infrastructure.
