Getting Started
Getting Started
Install SqlOS and run the Todo sample in five minutes.
DbContext can useYou'll learn how to install SqlOS, wire a minimal host, run the Todo sample, and pick the next doc for your use case.
Add SqlOS to your ASP.NET app.
Derive from SqlOSDbContext<TContext> and call AddSqlOS during host setup.
Make protected entities implement ISqlOSResourceEntity so SqlOS can sync FGA resource rows during EF saves.
Call MapSqlOS(), start the app, and open the admin dashboard.
dotnet add package SqlOSA complete minimal Program.cs for an owned web app with hosted auth:
using Microsoft.EntityFrameworkCore;
using SqlOS;
using SqlOS.Extensions;
var builder = WebApplication.CreateBuilder(args);
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
?? throw new InvalidOperationException("Connection string 'DefaultConnection' was not configured.");
builder.AddSqlOS<AppDbContext>(
db => db.UseSqlServer(connectionString),
options =>
{
options.AuthServer.Issuer = "https://localhost:5001/sqlos/auth";
options.AuthServer.PublicOrigin = "https://localhost:5001";
options.AuthServer.SeedOwnedWebApp(
"web",
"My Application",
"https://localhost:5001/auth/callback");
});
var app = builder.Build();
app.MapSqlOS();
app.Run();Derive from SqlOSDbContext<TContext> to include the SqlOS auth server model, FGA model, and FGA TVF mapping. Add application entities in OnApplicationModelCreating:
public sealed class AppDbContext(DbContextOptions<AppDbContext> options)
: SqlOSDbContext<AppDbContext>(options)
{
public DbSet<Project> Projects => Set<Project>();
protected override void OnApplicationModelCreating(ModelBuilder modelBuilder)
{
modelBuilder.Entity<Project>();
}
}If you need full EF model control, the lower-level path is still available: implement ISqlOSAuthServerDbContext and ISqlOSFgaDbContext, expose IsResourceAccessible, and call modelBuilder.UseSqlOS(...) yourself.
For app data that should participate in FGA, implement ISqlOSResourceEntity on the domain entity. SqlOSDbContext<TContext> creates, updates, and deletes the matching SqlOSFgaResource row when you call SaveChanges / SaveChangesAsync; role grants remain explicit.
appsettings.json needs a SQL Server connection string and optional dashboard password:
{
"ConnectionStrings": {
"DefaultConnection": "Server=localhost;Database=SqlOSApp;Trusted_Connection=True;TrustServerCertificate=True"
},
"SqlOS": {
"Dashboard": {
"AuthMode": "Password",
"Password": "change-me-in-production"
}
}
}var app = builder.Build();
app.MapSqlOS();This gives you:
| Path | What it does |
|---|---|
/sqlos | Admin dashboard |
/sqlos/auth/* | OAuth 2.0 endpoints, hosted AuthPage, Email OTP, invitations |
/sqlos/admin/auth | Auth management UI |
/sqlos/admin/fga | FGA management UI |
Register your frontend as an OAuth client so users can sign in immediately. Put this inside the options => { ... } callback passed to builder.AddSqlOS:
options.AuthServer.SeedOwnedWebApp(
"my-app",
"My Application",
"http://localhost:3000/auth/callback");For API routes that accept SqlOS access tokens, protect a route group with RequireSqlOSAccessToken(...). It validates the token and populates HttpContext.User; your app still resolves the current subject explicitly at the route boundary.
var api = app.MapGroup("/api")
.RequireSqlOSAccessToken(options =>
{
options.ExpectedAudience = "https://localhost:5001/api";
options.ResourceMetadataUrl = "https://localhost:5001/.well-known/oauth-protected-resource";
});
api.MapGet("/me", (HttpContext http) =>
{
var subjectId = http.User.FindFirst(JwtRegisteredClaimNames.Sub)?.Value;
if (string.IsNullOrWhiteSpace(subjectId))
return Results.Unauthorized();
return Results.Ok(new
{
subjectId,
clientId = http.User.FindFirst("client_id")?.Value,
audience = http.User.FindFirst(JwtRegisteredClaimNames.Aud)?.Value
});
});/sqlos/admin/auth/ (or /sqlos for the main dashboard).appsettings.json when AuthMode is Password.
Fastest path — hosted auth, simple FGA, and client onboarding:
dotnet run --project examples/SqlOS.Todo.AppHost/SqlOS.Todo.AppHost.csprojThe AppHost starts SQL Server and the Todo API. Open the URL shown in the console, then /sqlos/admin/auth/.
The Todo sample covers:
SqlOS runs its own SQL scripts on host startup. Your EF migrations do not own those tables.
If you migrate before the app has started SqlOS once, call SqlOSBootstrapper.InitializeAsync() first. The example API shows that pattern when your tables reference SqlOS.
Branded login, dashboard, and OAuth flows out of the box.
Build your own UI on the same OAuth and session APIs.
Model resources, grants, and EF Core query filters.
Endpoint and method reference when you need a specific contract.