Documentation

Introduction

← All docs

Introduction

Embedded auth and authorization for .NET apps. One package. Your database.

SqlOS is an embedded auth and authorization runtime for .NET. It adds identity, sessions, organizations, SSO, OIDC, and fine-grained authorization to your ASP.NET app with one NuGet package. Your data stays in your SQL Server database.

Why SqlOS

Most auth products force you to send user data to an external service and pay per-seat. SqlOS takes a different approach:

  • Your database -- users, sessions, grants, and tokens live in your SQL Server instance
  • Your app -- SqlOS runs inside your ASP.NET process, not as a separate service
  • One package -- dotnet add package SqlOS and you're done
  • Standards-based -- OAuth 2.0, PKCE, JWKS, SAML, OpenID Connect

Two modules

SqlOS ships two modules that work independently or together:

AuthServer handles identity: organizations, users, password login, OIDC social login, SAML enterprise SSO, sessions, refresh tokens, and a hosted or headless auth UI.

builder.AddSqlOS<AppDbContext>(options =>
{
    options.UseAuthServer();
});

FGA handles authorization: hierarchical resources, roles, permissions, grants, and EF Core query-time filtering that pushes access control into your SQL queries.

var chains = await dbContext.Chains
    .Where(await authService.GetAuthorizationFilterAsync<Chain>(subjectId, "CHAIN_VIEW"))
    .ToListAsync();

What it looks like

SqlOS ships with an embedded admin dashboard for managing organizations, users, sessions, resources, grants, and roles.

Dashboard home

The same data that appears in the dashboard is available through the SDK and admin API.

Example app

The repo includes a complete retail management app (Next.js, Angular, and React Native) that demonstrates multi-tenant auth with fine-grained access control.

As Company Admin, the user sees all 5 chains and 3 stores:

Company Admin view

As Store Clerk, the same app filters down to just the one store they have access to:

Store Clerk view

No application code changes. The FGA filter handles it at query time.

Next steps