Autional logo

Enterprise Identity Infrastructure.
Open Source.

24 microservices, 1,400+ APIs, 30+ SDK packages, 15+ compliance frameworks — everything your AI-generated app needs for identity.

🔐

Authentication & Registration

Complete user identity lifecycle — from sign-up to enterprise SSO, from basic auth to passwordless.

  • Email/password with configurable password policy (min length, complexity, history)
  • Password transmission encryption: plain, hash, symmetric (ECDH+AES-256-GCM), asymmetric (RSA-OAEP)
  • Social login: Google, GitHub, WeChat, Apple, Microsoft, DingTalk, Lark
  • Passwordless: Magic Link, SMS OTP, email OTP, QR code login, anonymous login
  • Password lifecycle: expiry, forced reset, N-previous history, per-tenant policy
  • Account recovery: forgot/reset password, phone/email verification, recovery codes
  • CAPTCHA: reCAPTCHA, Turnstile, Proof-of-Work — configurable per tenant
  • Password strength evaluation (zxcvbn, OWASP ASVS V6.2.8)
[ Diagram illustration ]
🛡️

Multi-Factor Authentication

From TOTP to phishing-resistant passkeys. Enterprise-grade MFA with risk-based adaptation.

  • TOTP (RFC 6238) — time-based one-time passwords
  • SMS and email OTP — via configurable provider backends
  • WebAuthn / FIDO2 / Passkey — platform and roaming authenticators
  • Push notification MFA — challenge/response with approve/deny
  • Adaptive MFA — risk engine: 7 signals (device/IP/geo/behavior/velocity/leak/hijack)
  • Backup and recovery codes — generate, verify, revoke, admin reset
  • Step-up authentication — re-authenticate for sensitive operations
[ Diagram illustration ]
🏢

Enterprise SSO & Federation

Connect with any identity provider. Standards-compliant SAML, OIDC, OAuth implementations.

  • SAML 2.0 — SP-initiated SSO, IdP management, SLO, metadata endpoints
  • OpenID Connect — full provider with Discovery, UserInfo, ID Token
  • OAuth 2.1 — Authorization Code + PKCE (RFC 7636), refresh tokens, device code (RFC 8628)
  • OAuth Token Exchange (RFC 8693) — service-to-service delegation, NHI token exchange
  • DPoP — bind tokens to client keys, prevent replay attacks
  • JARM — JWT-signed authorization responses for financial-grade security
  • Dynamic Client Registration (RFC 7591) — self-service OAuth client provisioning
  • Rich Authorization Request (RFC 9396) — structured authorization scopes
  • private_key_jwt — JWT-based client authentication
  • Social OAuth: GitHub, Google, Facebook, Discord, LinkedIn, WeChat, Apple
  • LDAP / Active Directory — bind authentication, user sync, group mapping
  • SCIM 2.0 — /scim/v2/Users and /Groups for enterprise user provisioning
[ Diagram illustration ]
👥

Multi-Tenancy & Organizations

Built for B2B SaaS. Every feature is tenant-aware by design.

  • Per-tenant data isolation — tenant_id on every query, 3-layer enforcement
  • Custom domains & white-label — per-tenant branding, custom login pages
  • Organization hierarchy — departments, org charts, delegated administration
  • Member management — invitations, approvals, role assignments, bulk import
  • Application and role management — per-tenant app CRUD, app-level roles
  • Tenant security policies — password policy, MFA, session timeout per tenant
  • Feature gates — plan-based enablement with per-tenant overrides
[ Diagram illustration ]
🔑

Authorization & Access Control

From roles to attributes to relationships. Four authorization models in one platform.

  • RBAC (NIST standard) — role hierarchy, inheritance, pre-defined super_admin/admin/security_admin
  • ABAC — expr-lang/expr policy engine, OPA/Rego bridge, JWT/GeoIP/DeviceTrust resolvers
  • ReBAC — BFS relationship graph, per-tenant cache with invalidation
  • PIM/JIT — time-bound role activation (max 24h), approval workflow, scheduled expiry
  • Separation of Duties (SoD) — conflict pair detection, enforcement on all assignments
  • PermissionRequired middleware — fine-grained endpoint-level access control
  • Approval workflow — sensitive operations require multi-party approval
[ Diagram illustration ]
🤖

NHI — Non-Human Identity

Identity for AI agents, robots, and IoT devices. Because AI needs its own identity.

  • AI Agent lifecycle: provisioning → active → rotating → revoked → deleted
  • Robot lifecycle: commissioning → active → degraded → decommissioned → deleted
  • IoT Device lifecycle: unpaired → active → transferring → revoked → deleted
  • Auth methods: client_credentials, api_key, device_code, intent_token
  • Delegation middleware — OnBehalfOf + Chain-ID headers for AI agent chains
  • Ed25519 intent token signing — signed operation scopes for delegated AI actions
  • Token exchange — OAuth token-exchange grant for NHI service-to-service auth
[ Diagram illustration ]
📊

Audit & Compliance

Tamper-proof audit trails with Merkle hash chain verification. Enterprise compliance frameworks.

  • Merkle hash chain audit logs — cryptographic integrity verification
  • GDPR DSAR automation — 7-service erasure orchestration, hash-chain audit trail
  • Two-level deletion — soft-delete (reversible) → anonymization (irreversible), scheduler-driven
  • Compliance frameworks: ISO 27001, PCI DSS, HIPAA, SOX, PSD2, PIPL, Dengbao 2.0
  • Data classification — Public / Internal / Confidential / Restricted
  • Cross-border data transfer management
  • Data retention policies — configurable TTL, archive triggers
  • Breach notification and vendor risk assessment management
  • Penetration test and audit finding tracking with evidence linking
[ Diagram illustration ]
🇨🇳

National Cryptography (GM/T)

Chinese national standard cryptography. Required for government and regulated industry deployments.

  • SM2 — elliptic curve key exchange and digital signature
  • SM3 — cryptographic hash algorithm (256-bit)
  • SM4 — block cipher (CBC/PKCS7) for data encryption
  • Ed25519 — high-performance signature algorithm
  • Per-tenant crypto profile — tenant-level algorithm selection (SM vs standard)
  • 14 integration points across the system, needs-rehash auto-detection
[ Diagram illustration ]

Developer Platform

1,400+ APIs, 30+ SDK packages, gRPC mesh, auto-generated TypeScript types.

  • 1,400+ RESTful API endpoints across 24 microservices, versioned and documented
  • gRPC service mesh — 9 microservices with gRPC interfaces
  • SDK: 30+ npm packages — React, Vue, Next.js, Svelte, React Native, MiniApp, Node.js + 19 api-*
  • Auto-generated TypeScript types — from OpenAPI specs (38K+ lines)
  • 600+ webhook event types — HMAC-signed delivery across all services
  • Swagger/OpenAPI — interactive docs for every endpoint
  • TanStack Query hooks — auto-generated for all endpoints
[ Diagram illustration ]
🏗️

Infrastructure & Integrations

Multi-provider, cloud-native. Run anywhere — your infrastructure, your control.

  • PostgreSQL + PgBouncer, MongoDB, Redis, RabbitMQ, Kafka, ZooKeeper
  • Object storage: MinIO, S3, Alibaba OSS, Tencent COS, SeaweedFS
  • SMS: Aliyun, Tencent, SMS4Dev (dev) | Email: SMTP
  • Identity verification: Aliyun OCR, Baidu, Tencent, CTID
  • Field-level AES-256-GCM encryption with key rotation, SM4-GCM
  • Prometheus + Grafana + OpenTelemetry + Jaeger + Loki + Alertmanager
  • Docker + Podman compose, Kubernetes-ready
[ Diagram illustration ]