SqlOS

AuthServer

AuthServer Overview

Identity, sessions, organizations, and SSO in one embedded module.

7 sections
Identity inside your app

Users, sessions, SSO, OAuth/OIDC, and hosted or headless auth from one embedded module

AuthServer is the identity half of SqlOS. It keeps your users, clients, sessions, and login flows in your app and in your database instead of splitting them into another hosted dependency.

Install SqlOS

AuthServer is SqlOS's identity piece. Users, orgs, sessions, tokens, OIDC, and SAML run inside your app. Data lives in your database.

What you get#

Organizations

Multi-tenant orgs, memberships, and roles.

Users

Email/password, SSO-provisioned, or OIDC-linked identities.

Sessions

JWT access tokens, refresh token rotation, and replay detection.

OIDC

Google, Microsoft, Apple, and custom providers.

SAML SSO

Enterprise SSO with provisioning and hosted flows.

Hosted or headless

Use the built-in pages or render your own UI on top of the same runtime.

Setup#

CSHARP
builder.AddSqlOS<AppDbContext>();
 
var app = builder.Build();
app.MapSqlOS();

Auth flow#

Typical browser login:

  1. App sends the user to /sqlos/auth/authorize with PKCE.
  2. User enters email. Home realm discovery picks password vs SSO.
  3. User signs in (password, OIDC, or SAML).
  4. Multiple orgs? User picks one.
  5. SqlOS returns an auth code.
  6. App trades the code for access and refresh tokens.
Start with owned clients first

For most teams, the first production flow should use a seeded or dashboard-created owned client. Add CIMD, DCR, and resource indicators only when you actually need portable or compatibility clients.

Hosted sign-in page

Dashboard#

Open /sqlos/admin/auth/. Manage orgs, users, memberships, clients, OIDC, SSO, security, and sessions there.

Dashboard users

SDK services#

ServicePurpose
SqlOSAuthServiceLogin, refresh, logout, token validation
SqlOSAdminServiceCreate orgs, users, memberships, clients, SSO
SqlOSCryptoServiceToken generation, PKCE, password hashing, JWKS
SqlOSHomeRealmDiscoveryServiceRoute users to password or SSO by email domain
SqlOSSsoAuthorizationServiceSAML SSO authorization and code exchange
SqlOSOidcAuthServiceGoogle, Microsoft, Apple, and custom OIDC
SqlOSSettingsServiceSession lifetimes and security configuration

Hosted and headless#

Hosted auth

SqlOS renders the login, signup, and recovery pages for you. This is the fastest path for internal tools and most first-party apps.

Headless auth

SqlOS still runs OAuth/OIDC, sessions, and token issuance. Your application takes ownership of the login UI and interaction flow.

Client onboarding modes

Use seeded or dashboard-created owned clients for the normal path. Reach for CIMD and optional DCR only when you need portable or compatibility-oriented clients.

Headless Auth · Hosted vs Headless

Client guides#