Docker-Native Identity Platform

Identity infrastructure for modern applications

The self-hosted authentication platform that combines enterprise power with developer experience. Deploy in seconds, scale with confidence.

Try the Demo Get Started

bash

1 # Try Kotauth — one command

2 $ curl -O https://raw.githubusercontent.com/\

3 inumansoul/kotauth/main/\

4 docker-compose.quickstart.yml

5 $ docker compose -f \

6 docker-compose.quickstart.yml up -d

8 Starting Kotauth Server v1.5.2...

9 ✓ Identity server ready on port 8080

10 ✓ Admin dashboard available at /admin

11 ✓ Demo data loaded — two workspaces ready

12 ✓ API documentation at /api/docs

Features

Everything you need for identity management

Complete authentication infrastructure with the simplicity developers expect

OAuth 2.0 & OpenID Connect

Authorization Code + PKCE, Client Credentials, token rotation, introspection, revocation, and OIDC Discovery. Spec-compliant — any OIDC client library works out of the box.

Multi-Tenant Workspaces

Isolated user directories, per-tenant RS256 key pairs with admin-initiated rotation, slug-routed APIs, and independent security policies. One instance, many products.

Authentication & User Onboarding

Password + TOTP MFA with recovery codes, Google and GitHub social login with auto-linking, and admin-initiated user invitations with branded email activation.

Security by Default

bcrypt hashing, AES-256-GCM encryption at rest, SHA-256 API keys, strict CSP with SRI, account lockout, tiered rate limiting, key rotation with JWT kid headers, and CSRF protection.

AI-Native Management (MCP)

Manage users, roles, sessions, and audit logs from Claude, Cursor, or any MCP client. 19 tools, scope-based access control, zero custom code. npx @kotauth/mcp to connect.

Docker-Native Deployment

~120 MB image on GHCR. One-command quickstart, Flyway auto-migrations, built-in CLI tools, bundled Swagger UI, and HTTP compression. Works fully air-gapped.

Explore all features and technical details

AI-Native Management

Manage identity with natural language

The first self-hosted IAM server with native Model Context Protocol support. Connect Claude, Cursor, or any MCP-compatible AI — no SDK, no HTTP, no custom code.

MCP Session

Bob's account may be compromised. Disable him, kill all his sessions, and show me what happened in the last hour.

On it. I'll lock the account, revoke active sessions, and pull the audit trail.

get_user

search: "bob" → userId: 87

disable_user

✓ Account disabled

revoke_session

✓ 2 active sessions revoked

query_audit_logs

userId: 87, last 60 min

Done. Bob is locked out and both sessions are terminated. Here's the last hour:

LOGIN_FAILED 3 attempts from 191.96.x.x

LOGIN_SUCCESS from 191.96.x.x

USER_UPDATED email changed

ADMIN_USER_DISABLED by you, just now

Three failed logins from an unfamiliar IP followed by a successful login and an email change. Looks like credential stuffing — the email change confirms account takeover.


npx @kotauth/mcp

One command to connect

19 tools across 6 domains

Every tool is guarded by API key scopes — your AI assistant only gets the permissions you choose. Full RBAC, user lifecycle, session management, and audit log queries through conversation.

Users 7

create, list, update, disable, assign roles

Roles 3

create, list, delete

Groups 4

create, list, manage members

Applications 2

list, update settings

Sessions 2

list active, revoke

Audit Logs 1

query with filters

MCP Documentation View on npm

Auth Experience

Auth screens that don't look like auth screens

Production-ready login, registration, MFA, and account management pages — beautiful by default, fully white-labeled per tenant, zero rebuild required.

Server-rendered, zero JS overhead

Auth pages are pure server-rendered HTML. No client-side framework, no hydration delay — first meaningful paint in under 100ms.

White-label per workspace

CSS custom properties injected at render time. Each tenant gets its own colors, logo, and favicon with zero rebuild or CDN invalidation.

Complete screen set

Login, register, forgot password, reset password, accept invite, TOTP MFA, and email verification — all styled and production-ready.

Three presets, full customization

Start with Dark, Light, or Simple. Override any design token to match your brand without touching backend code.

auth.acme.com/login

to continue to your workspace

Email address

••••••••••

No account? Sign up

Click the theme tabs to preview — same URL, different tenant config

javascript

const BASE = 'https://auth.acme.com/t/myapp/api/v1';

const headers = {

'Authorization': 'Bearer kauth_myapp_sk_xxxxxxxx',

'Content-Type': 'application/json',

};

// 1. Provision a user

const user = await fetch(`${BASE}/users`, {

method: 'POST',

headers,

body: JSON.stringify({

username: 'jsmith',

email: 'j.smith@acme.com',

fullName: 'John Smith',

password: 'Str0ng!Pass',

}),

}).then(r => r.json());

// → { id: 42, username: 'jsmith', enabled: true, ... }

// 2. Assign a role (RBAC)

await fetch(`${BASE}/users/${user.id}/roles/3`, {

method: 'POST', headers,

});

// 3. Pull audit trail

const { data: events } = await fetch(

`${BASE}/audit-logs?userId=${user.id}&limit=5`,

{ headers }

).then(r => r.json());

// → [{ eventType: 'ADMIN_USER_CREATED', ... }, ...]

package main

import (
    "bytes"; "encoding/json"
    "fmt";   "net/http"
)

const (
    base   = "https://auth.acme.com/t/myapp/api/v1"
    apiKey = "Bearer kauth_myapp_sk_xxxxxxxx"
)

func main() {
    client := &http.Client{}

// 1. Provision a user
    payload, _ := json.Marshal(map[string]string{
        "username": "jsmith",
        "email":    "j.smith@acme.com",
        "fullName": "John Smith",
        "password": "Str0ng!Pass",
    })
    req, _ := http.NewRequest("POST", base+"/users",
        bytes.NewBuffer(payload))
    req.Header.Set("Authorization", apiKey)
    req.Header.Set("Content-Type", "application/json")
    resp, _ := client.Do(req)

var user map[string]any
    json.NewDecoder(resp.Body).Decode(&user)
    // user["id"] → 42

// 2. Assign a role (RBAC)
    req, _ = http.NewRequest("POST",
        fmt.Sprintf("%s/users/%v/roles/3", base, user["id"]), nil)
    req.Header.Set("Authorization", apiKey)
    client.Do(req)

fmt.Printf("Provisioned: %s\n", user["username"])
}

package main

import (

"bytes"; "encoding/json"

"fmt"; "net/http"

)

const (

base = "https://auth.acme.com/t/myapp/api/v1"

apiKey = "Bearer kauth_myapp_sk_xxxxxxxx"

)

func main() {

client := &http.Client{}

// 1. Provision a user

payload, _ := json.Marshal(map[string]string{

"username": "jsmith",

"email": "j.smith@acme.com",

"fullName": "John Smith",

"password": "Str0ng!Pass",

})

req, _ := http.NewRequest("POST", base+"/users",

bytes.NewBuffer(payload))

req.Header.Set("Authorization", apiKey)

req.Header.Set("Content-Type", "application/json")

resp, _ := client.Do(req)

var user map[string]any

json.NewDecoder(resp.Body).Decode(&user)

// user["id"] → 42

// 2. Assign a role (RBAC)

req, _ = http.NewRequest("POST",

fmt.Sprintf("%s/users/%v/roles/3", base, user["id"]), nil)

req.Header.Set("Authorization", apiKey)

client.Do(req)

fmt.Printf("Provisioned: %s\n", user["username"])

}

Developer Experience

Provision, authorize, audit

One consistent REST API across every resource. Scoped API keys per workspace, RFC-compliant errors, and a full audit trail baked in from day one.

Scoped API keys — Bearer kauth_{slug}_{key}

Workspace-routed endpoints — /t/{slug}/api/v1

RBAC with composite role inheritance and groups

User invitations via API — sendInvite: true

Paginated responses with total / offset / limit

Immutable audit trail — 55+ event types

Live Demo

See it running — no install required

A public instance with seeded data. Explore the admin console, user management, OAuth configuration, and audit logs. Data resets periodically.

Two workspaces

Acme Corp and StartupLabs — each with isolated users, roles, and applications.

Pre-seeded users

Admins, developers, and viewers already configured with roles and group memberships.

Full RBAC in action

Roles, groups, composite inheritance, and audit trails — all populated and visible.

OAuth apps & API keys

Registered applications with client credentials and scoped API keys ready to inspect.

Launch the Demo

Comparison

Compare the alternatives

See why teams choose Kotauth for their identity infrastructure

Feature	Kotauth	Keycloak	Auth0 / Clerk
Self-hosted
Docker-native
Modern UI
Developer experience
OpenAPI / Swagger docs
Built-in CLI tools
AI assistant integration (MCP)
Air-gapped deployment
Encrypted secrets at rest
Account lockout
User invitations
Admin key rotation
Enterprise SSO (LDAP/SAML)			$$$
OAuth/OIDC provider
Multi-tenant orgs
Bring your own database
Free for self-hosting

Architecture

Centralized identity for your entire stack

One identity platform, unlimited applications

Users

Kotauth Identity Server

Applications

Admin Dashboard

Unified Identity

One user base across all your applications

Simple Integration

Add authentication to any app in minutes

Complete Visibility

Monitor and manage everything from one dashboard

Ready to simplify your authentication?

Deploy Kotauth in under a minute. No credit card required.

Try the Demo Get Started Free