A self-hosted authentication core for developers who demand control
AIS Forge is a security-first, API-driven authentication server designed for backend services, internal platforms, and custom applications. No vendor lock-in. No unnecessary protocols. Just complete control over your authentication infrastructure.
Early development — not production ready
The project is under active design and implementation. APIs, data models, and cryptographic choices may evolve. Star and watch this repository to follow progress.
Modern authentication solutions force you to choose between:
- Third-party platforms (Auth0, Firebase, Cognito) → vendor lock-in, external dependencies, limited control
- Interactive IdPs (OAuth 2.0 / OIDC) → unnecessary redirects, consent screens, and complexity for backend systems
AIS Forge fills the gap by providing a headless, self-hosted authentication server built for infrastructure, not consumers.
- 🏠 Fully self-hosted — your data, your infrastructure, your rules
- 🔌 API-first — no UI, no redirects, no browser flows
- 🔒 Security-first — modern cryptography, short-lived tokens, automatic key rotation
- 🎯 Purpose-built — optimized for backend services and internal tools
- 📦 Zero bloat — no unnecessary protocols or abstractions
- JWT-based access tokens with asymmetric signing
- Opaque refresh tokens with strict rotation
- Automatic key rotation with JWKS distribution
- Token revocation and audit trails
- 🔐 Secrets never stored in plaintext
- 🔑 Asymmetric cryptography with
kid-based key identification - ⏱️ Short-lived tokens with configurable TTLs
- 🔄 Refresh token rotation on every use
- 📝 Full audit logging
- 🐘 PostgreSQL with Drizzle ORM
- 🚀 Type-safe schema and queries
- 📊 Explicit data models
- 🔍 Transparent storage
AIS Forge adopts proven cryptographic patterns without the overhead of interactive protocols:
┌─────────────────┐
│ Your Backend │
│ Application │
└────────┬────────┘
│ HTTP API
▼
┌─────────────────┐
│ AIS Forge │
│ Auth Server │
├─────────────────┤
│ • Identity Mgmt │
│ • Token Issuance│
│ • Key Rotation │
│ • JWKS Endpoint │
└────────┬────────┘
│
▼
┌─────────────────┐
│ PostgreSQL │
│ + Drizzle │
└─────────────────┘
# Clone the repository
git clone https://github.com/SkyZonDev/ais-forge.git
cd ais-forge
# Install dependencies
npm install
# Configure environment
cp .env.example .env
# Edit .env with your database credentials
# Run migrations
npm run db:migrate
# Start the server
npm run dev// Create a new identity
const identity = await fetch('http://localhost:3000/api/identities', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
username: 'developer',
password: 'secure-password'
})
});
// Authenticate
const auth = await fetch('http://localhost:3000/api/auth/token', {
method: 'POST',
body: JSON.stringify({
username: 'developer',
password: 'secure-password'
})
});
const { access_token, refresh_token } = await auth.json();
// Use the access token
const resource = await fetch('http://localhost:3000/api/protected', {
headers: {
'Authorization': `Bearer ${access_token}`
}
});
// Refresh when needed
const refreshed = await fetch('http://localhost:3000/api/auth/refresh', {
method: 'POST',
body: JSON.stringify({ refresh_token })
});AIS Forge is ideal for:
- ✅ Custom authentication backends
- ✅ Internal company platforms
- ✅ Multi-project developer ecosystems
- ✅ Self-hosted SaaS backends
- ✅ Microservices requiring centralized auth
- ✅ Infrastructure-first environments
AIS Forge is not for:
- ❌ Consumer-facing identity providers
- ❌ Social login or SSO platforms
- ❌ Replacing Google/GitHub login
- ❌ Browsertemplate.md-based redirect flows
- Core authentication API
- JWKS endpoint
- Token management and rotation (in progress)
- Multi-factor authentication support
- API key authentication
- Session management
- Comprehensive audit logging
- Admin API
- Docker deployment
- Kubernetes Helm charts
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
Security is our top priority. If you discover a security vulnerability, please see SECURITY.md for responsible disclosure guidelines.
This project is licensed under the MIT License - see LICENSE.md for details.
AIS Forge draws inspiration from modern authentication best practices while focusing on simplicity and control. While we don't implement OIDC or OAuth 2.0, we adopt proven cryptographic patterns where appropriate.
- 🐛 Issues: GitHub Issues
- 💬 Discussions: GitHub Discussions
- 📧 Email: [email protected]
Built with ❤️ for developers who value control