Authorizer

Authorizer is an open-source authentication and authorization solution for your applications. Bring your database and have complete control over the user information. You can self-host authorizer instances and connect to any database (Currently supports 11+ databases including Postgres, MySQL, SQLite, SQLServer, YugaByte, MariaDB, PlanetScale, CassandraDB, ScyllaDB, MongoDB, ArangoDB).

For more information check:

• OAuth 2.0 / OIDC Endpoint Reference – standards-compliant endpoint docs with examples
• Migration Guide (v1 → v2) – configuration changes, CLI flags, deprecated APIs
• Docs (v1 – legacy)
• Discord Community
• Contributing Guide

v2 note: Authorizer v2 uses CLI arguments for all configuration. The server does not read from .env or OS env. Pass config when starting the binary (e.g. ./authorizer --client-id=... --client-secret=...). See MIGRATION.md.

Introduction

We offer the following functionality

• ✅ Sign-in / Sign-up with email ID and password
• ✅ Secure session management
• ✅ Email verification
• ✅ OAuth2 and OpenID compatible APIs
• ✅ APIs to update profile securely
• ✅ Forgot password flow using email
• ✅ Social logins (Google, Github, Facebook, LinkedIn, Apple more coming soon)
• ✅ Role-based access management
• ✅ Password-less login with magic link login
• ✅ Multi factor authentication
• ✅ Email templating
• ✅ Webhooks

Roadmap

• VueJS SDK
• Svelte SDK
• Golang SDK
• React Native SDK
• Flutter SDK
• Android Native SDK
• iOS native SDK
• Python SDK
• PHP SDK
• WordPress plugin
• Kubernetes Helm Chart
• Local Stack
• AMI
• Digital Ocean Droplet
• Azure
• Render
• Edge Deployment using Fly.io
• Password-less login with mobile number and OTP SMS

Getting Started

Step 1: Get Authorizer Instance

Deploy Production Ready Instance

Deploy production ready Authorizer instance using one click deployment options available below

| Infra provider | One-click link | Additional information | | :----------------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :----------------------------------------------------: | | Railway.app | | docs | | Heroku | <a href="https://heroku.com/deploy?template=https://github.com/authorizerdev/authorizer-heroku"><img src="https://www.herokucdn.com/deploy/button.svg" alt="Deploy to Heroku" style="height: 44px;"></a> | docs | | Render | | docs | | Koyeb | <a target="_blank" href="https://app.koyeb.com/deploy?name=authorizer&type=docker&image=docker.io/lakhansamani/authorizer&env[PORT]=8000&env[DATABASE_TYPE]=postgres&env[DATABASE_URL]=CHANGE_ME&ports=8000;http;/"><img alt="Deploy to Koyeb" src="https://www.koyeb.com/static/images/deploy/button.svg" /></a> | docs | | RepoCloud | <a href="https://repocloud.io/details/?app_id=174"><img src="https://d16t0pc4846x52.cloudfront.net/deploy.png" alt="Deploy on RepoCloud"></a> | docs | | Alibaba Cloud| <a target="_blank" href="https://computenest.console.aliyun.com/service/instance/create/default?type=user&ServiceName=Authorizer%E7%A4%BE%E5%8C%BA%E7%89%88"><img src="https://service-info-public.oss-cn-hangzhou.aliyuncs.com/computenest-en.svg" alt="Alibaba Cloud" /></a> | docs |

Deploy Authorizer Using Source Code

This guide helps you practice using Authorizer to evaluate it before you use it in a production environment. It includes instructions for installing the Authorizer server in local or standalone mode.

Prerequisites

• OS: Linux or macOS or Windows
• Go >= 1.24 (see go.mod)
• Node.js >= 18 and npm (only if building the web app and dashboard)

Project Setup

1. Fork the authorizer repository (Skip this step if you have access to repo)
2. Clone repo: git clone https://github.com/authorizerdev/authorizer.git or use the forked url from step 1
3. Change directory: cd authorizer
4. Build the server binary: make build (or go build -o build/authorizer .)
5. (Optional) Build the web app and dashboard: make build-app and make build-dashboard
6. Run the server with CLI arguments:

 make dev

Or run manually with all required flags:

./build/authorizer \
  --database-type=sqlite \
  --database-url=test.db \
  --jwt-type=HS256 \
  --jwt-secret=test \
  --admin-secret=admin \
  --client-id=123456 \
  --client-secret=secret

v2: The server does not read from .env. All configuration must be passed as CLI arguments. See MIGRATION.md for the full mapping of env vars to flags.

Run with Docker

The default image runs as non-root (UID 65532). Writable mounts (SQLite under /authorizer/data, etc.) are usually root-owned, so pick one of:

1. Run as root for that container (simplest for local SQLite + volumes):

   docker run -p 8080:8080 -u root \
     -v authorizer_data:/authorizer/data \
     lakhansamani/authorizer \
     --database-type=sqlite \
     --database-url=/authorizer/data/data.db \
     --client-id=123456 \
     --client-secret=secret \
     --admin-secret=admin \
     --jwt-type=HS256 \
     --jwt-secret=test
   

2. Keep non-root and make the mount writable by 65532 (good for production-style bind mounts):

   mkdir -p ./data && sudo chown -R 65532:65532 ./data
   docker run -p 8080:8080 \
     -v "$(pwd)/data:/authorizer/data" \
     lakhansamani/authorizer \
     --database-type=sqlite \
     --database-url=/authorizer/data/data.db \
     ...
   

3. Build from source with the root target (no -u at run time):

   docker build --target final-root -t authorizer:root .
   docker run -p 8080:8080 -v authorizer_data:/authorizer/data authorizer:root \
     --database-type=sqlite --database-url=/authorizer/data/data.db ...
   

• Port 8080 serves the app and GraphQL; use -p 8080:8080 to expose it.
• Volume authorizer_data persists the SQLite DB; use a named volume or a host path (e.g. -v $(pwd)/data:/authorizer/data).
• All config is passed as CLI arguments (the image uses ENTRYPOINT ["./authorizer"] so args after the image name go to the binary). See MIGRATION.md for the full list of flags.

Database on your laptop (Postgres, MySQL, etc.)

Inside a container, localhost / 127.0.0.1 is the container itself, not your machine. Use a host alias instead:

• Docker Desktop (macOS / Windows): use host.docker.internal in --database-url or --database-host (built in).

  docker run -p 8080:8080 lakhansamani/authorizer \
    --database-type=postgres \
    --database-url="postgres://user:pass@host.docker.internal:5432/dbname?sslmode=disable" \
    ...
  

• Linux (Docker Engine): add the same hostname so it resolves to the host:

  docker run -p 8080:8080 --add-host=host.docker.internal:host-gateway \
    lakhansamani/authorizer \
    --database-type=postgres \
    --database-url="postgres://user:pass@host.docker.internal:5432/dbname?sslmode=disable" \
    ...
  

• Alternative on Linux: use the docker bridge gateway IP (often 172.17.0.1) if your DB listens on 0.0.0.0, or run with --network host so the container shares the host network (then localhost works; port mapping -p is not used the same way).

Ensure the database accepts non-localhost connections (e.g. listen_addresses in Postgres, bind address in MySQL) and that your OS firewall allows the Docker subnet.

Extending the image with env-based config (e.g. Railway): If you FROM lakhansamani/authorizer and use a shell-form CMD so that env vars are expanded at runtime, you must override ENTRYPOINT in your Dockerfile or the binary will receive /bin/sh and -c as arguments and fail. Use:

FROM lakhansamani/authorizer:2.0.0-rc.1
# v2 uses CLI arguments only. Railway (etc.) inject env vars; shell form CMD expands them at runtime.
# Override ENTRYPOINT so CMD is run by a shell; otherwise the base ENTRYPOINT would receive /bin/sh -c "..." as args.
ENTRYPOINT ["/bin/sh", "-c"]
CMD ./authorizer \
  --database-type="$${DATABASE_TYPE