DEV.co
Open-Source Databases · authorizerdev

authorizer

Authorizer is an open-source authentication and authorization server built in Go that you self-host and connect to your own database. It provides OAuth2/OIDC, social logins, MFA, magic links, role-based access control, and fine-grained authorization without vendor lock-in.

Source: GitHub — github.com/authorizerdev/authorizer
2k
GitHub stars
210
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryauthorizerdev/authorizer
Ownerauthorizerdev
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars2k
Forks210
Open issues110
Latest release2.3.0 (2026-06-16)
Last updated2026-07-08
Sourcehttps://github.com/authorizerdev/authorizer

What authorizer is

Go-based auth server supporting 13+ database backends (SQL and NoSQL), offering GraphQL/REST/gRPC APIs, embedded OpenFGA for ReBAC, TOTP/SMS OTP, email templating, webhooks, and admin APIs for user/role management. v2 uses CLI-arg configuration and requires Go ≥1.24.

Quickstart

Get the authorizer source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/authorizerdev/authorizer.gitcd authorizer# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-tenant SaaS with data sovereignty requirements

Keep user data in your own infrastructure; support 13+ databases including SQL Server, DynamoDB, MongoDB. RBAC + ReBAC via OpenFGA handles complex permission models.

Enterprise integrations requiring OAuth2/OIDC compliance

Full OAuth2 and OpenID Connect endpoints, social login providers (Google, GitHub, Facebook, LinkedIn, Apple, Discord, Twitter, Twitch, Microsoft), and admin APIs for user lifecycle management.

Microservice ecosystems needing distributed auth

Docker deployment, Kubernetes Helm chart (v2.2.0), gRPC/GraphQL/REST transports, Prometheus metrics, rate limiting, and security hardening (CSRF, CORS, HSTS, CSP).

Implementation considerations

  • v2 uses CLI arguments (not env vars) for all configuration; migration from v1 required—see MIGRATION.md.
  • Requires choice and setup of supported database backend (13+ options); no in-process default suitable for production.
  • Admin secret must be provided at startup; review secret management strategy (HashiCorp Vault, K8s secrets, etc.).
  • Email/SMS flows require external provider setup (e.g., Twilio for SMS OTP); email templating is built-in but sender must be configured.
  • Fine-grained authorization (ReBAC) uses embedded OpenFGA; complexity depends on model complexity and tuple management overhead.

When to avoid it — and what to weigh

  • Require zero operational burden — Self-hosted means you manage deployment, scaling, database, backups, and security patches. No managed SaaS option reduces operational friction.
  • Need SAML or legacy federation standards — Authorizer focuses on OAuth2/OIDC. SAML support not mentioned in primary features.
  • Building with Python or Node.js as primary backend — Core service is Go; SDKs exist (Python, JS/TS, React, Vue, Svelte) but tight coupling to Go auth server may complicate some workflows.
  • Need battle-tested multi-year production history — Project created 2021-06, v2 released recently (v2.3.0 2026-06-16). Relatively young; 110 open issues suggest ongoing stabilization.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI license allowing commercial use, modification, and distribution with standard liability disclaimers and attribution.

Apache-2.0 is permissive and suitable for commercial deployments. You may use, modify, and redistribute Authorizer in closed-source or proprietary products. No patent grants or trademark guarantees are implied; review full license terms for your use case.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Project demonstrates security awareness: CI includes govulncheck, OpenSSF Scorecard badge, CII Best Practices enrollment, CSRF/CORS/HSTS/CSP hardening, secure session management, email verification, and MFA (TOTP + SMS OTP). Self-hosting means you are responsible for TLS, network isolation, database hardening, secret rotation, and applying security patches. Review current advisories and audit logs (available via admin API). No independent security audit mentioned in README.

Alternatives to consider

Keycloak

Java-based, mature, widely adopted enterprise identity platform. More operational overhead but stronger commercial ecosystem and longer track record.

Auth0

Managed SaaS. Eliminates self-hosting burden but introduces vendor lock-in and per-user/request pricing. No data sovereignty.

Supabase Auth / Firebase Authentication

Managed cloud services with lower operational friction. Less control over data and infrastructure; tight coupling to their ecosystem.

Software development agency

Build on authorizer with DEV.co software developers

Start with `make dev` for SQLite + demo (5 min), or deploy one-click to Railway (2 min). Review MIGRATION.md if upgrading from v1. Contact our team if you need help sizing for production.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

authorizer FAQ

Can I use Authorizer with my existing user database?
Yes. Authorizer supports 13+ database backends (Postgres, MySQL, SQLite, MongoDB, DynamoDB, etc.). Connect it to your existing database or start fresh. User schema is managed by Authorizer; migration tools or scripts may be needed for legacy systems.
What is the difference between v1 and v2?
v2 uses CLI arguments for configuration (not env vars or .env files). See MIGRATION.md. Core features remain; configuration approach is the breaking change.
Do I need to manage the Authorizer database separately?
Yes. You choose and operate the database backend (13+ options). Authorizer is stateless; it connects to your DB. You manage replication, backups, and recovery.
Is there a managed version or SaaS offering?
Not mentioned. Authorizer is self-hosted only. Commercial support or managed services are unknown; check GitHub issues or Discord.

Software developers & web developers for hire

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If authorizer is part of your open-source databases roadmap, our team can implement, customize, migrate, and maintain it.

Ready to evaluate Authorizer?

Start with `make dev` for SQLite + demo (5 min), or deploy one-click to Railway (2 min). Review MIGRATION.md if upgrading from v1. Contact our team if you need help sizing for production.