authorizer
Authorizer is an open-source authentication and authorization server built in Go that you self-host and connect to your own database. It provides OAuth2/OIDC, social logins, MFA, magic links, role-based access control, and fine-grained authorization without vendor lock-in.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | authorizerdev/authorizer |
| Owner | authorizerdev |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 2k |
| Forks | 210 |
| Open issues | 110 |
| Latest release | 2.3.0 (2026-06-16) |
| Last updated | 2026-07-08 |
| Source | https://github.com/authorizerdev/authorizer |
What authorizer is
Go-based auth server supporting 13+ database backends (SQL and NoSQL), offering GraphQL/REST/gRPC APIs, embedded OpenFGA for ReBAC, TOTP/SMS OTP, email templating, webhooks, and admin APIs for user/role management. v2 uses CLI-arg configuration and requires Go ≥1.24.
Get the authorizer source
Clone the repository and explore it locally.
git clone https://github.com/authorizerdev/authorizer.gitcd authorizer# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- v2 uses CLI arguments (not env vars) for all configuration; migration from v1 required—see MIGRATION.md.
- Requires choice and setup of supported database backend (13+ options); no in-process default suitable for production.
- Admin secret must be provided at startup; review secret management strategy (HashiCorp Vault, K8s secrets, etc.).
- Email/SMS flows require external provider setup (e.g., Twilio for SMS OTP); email templating is built-in but sender must be configured.
- Fine-grained authorization (ReBAC) uses embedded OpenFGA; complexity depends on model complexity and tuple management overhead.
When to avoid it — and what to weigh
- Require zero operational burden — Self-hosted means you manage deployment, scaling, database, backups, and security patches. No managed SaaS option reduces operational friction.
- Need SAML or legacy federation standards — Authorizer focuses on OAuth2/OIDC. SAML support not mentioned in primary features.
- Building with Python or Node.js as primary backend — Core service is Go; SDKs exist (Python, JS/TS, React, Vue, Svelte) but tight coupling to Go auth server may complicate some workflows.
- Need battle-tested multi-year production history — Project created 2021-06, v2 released recently (v2.3.0 2026-06-16). Relatively young; 110 open issues suggest ongoing stabilization.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI license allowing commercial use, modification, and distribution with standard liability disclaimers and attribution.
Apache-2.0 is permissive and suitable for commercial deployments. You may use, modify, and redistribute Authorizer in closed-source or proprietary products. No patent grants or trademark guarantees are implied; review full license terms for your use case.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Project demonstrates security awareness: CI includes govulncheck, OpenSSF Scorecard badge, CII Best Practices enrollment, CSRF/CORS/HSTS/CSP hardening, secure session management, email verification, and MFA (TOTP + SMS OTP). Self-hosting means you are responsible for TLS, network isolation, database hardening, secret rotation, and applying security patches. Review current advisories and audit logs (available via admin API). No independent security audit mentioned in README.
Alternatives to consider
Keycloak
Java-based, mature, widely adopted enterprise identity platform. More operational overhead but stronger commercial ecosystem and longer track record.
Auth0
Managed SaaS. Eliminates self-hosting burden but introduces vendor lock-in and per-user/request pricing. No data sovereignty.
Supabase Auth / Firebase Authentication
Managed cloud services with lower operational friction. Less control over data and infrastructure; tight coupling to their ecosystem.
Build on authorizer with DEV.co software developers
Start with `make dev` for SQLite + demo (5 min), or deploy one-click to Railway (2 min). Review MIGRATION.md if upgrading from v1. Contact our team if you need help sizing for production.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
authorizer FAQ
Can I use Authorizer with my existing user database?
What is the difference between v1 and v2?
Do I need to manage the Authorizer database separately?
Is there a managed version or SaaS offering?
Software developers & web developers for hire
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If authorizer is part of your open-source databases roadmap, our team can implement, customize, migrate, and maintain it.
Ready to evaluate Authorizer?
Start with `make dev` for SQLite + demo (5 min), or deploy one-click to Railway (2 min). Review MIGRATION.md if upgrading from v1. Contact our team if you need help sizing for production.