Open-source Identity & Access Management for modern applications.
A single Go binary. Deploy in seconds. Own your auth forever.
| OAuth 2.0 + PKCE Authorization Code, Client Credentials, Device Flow. PKCE enforced by default. |
OpenID Connect Full OIDC provider with discovery, JWKS, ID tokens, and UserInfo endpoint. |
Multi-Tenant Native org_id scoping. Isolate users, roles, and clients per organization. |
RBAC Role-based access control with groups, scopes, and fine-grained permissions. |
| MFA TOTP, WebAuthn/passkeys, hardware keys, and backup codes. |
Social Login Google, GitHub, Apple. One-click sign-in with automatic account linking. |
SAML 2.0 Service Provider bridge for enterprise single sign-on. |
Webhooks HMAC-signed event delivery for user lifecycle, login, and audit events. |
| Admin Console Built-in dashboard with real-time SSE. Manage users, apps, roles, and logs. |
Observability Prometheus metrics, structured audit logging, and compliance dashboards. |
AI-Ready Ship auth in 30 seconds. AI integration skill for Claude, Copilot, and Cursor. |
Security Hardened Refresh token rotation, CSRF protection, rate limiting, HSTS, encryption at rest. |
|
Admin Dashboard Real-time metrics, login charts, role distribution, and live SSE updates. 
|
React SDK Integration User card, API tester, and role-based access control in action. 
|
|
Login Page Clean, branded sign-in form. Works with any OAuth client. 
|
Social Login Google, GitHub, and Apple sign-in. One-click config in the admin console. 
|
15 adapters covering every major stack. Drop-in middleware and client libraries.
| Adapter | Package | Registry |
|---|---|---|
| Node.js | @rampart-auth/node |
 |
| Go | github.com/manimovassagh/rampart/adapters/backend/go |
 |
| Python | rampart-python |
 |
| Spring Boot | rampart-spring-boot-starter |
 |
| .NET | Rampart.AspNetCore |
 |
| Ruby | rampart-ruby |
 |
| PHP | rampart/laravel |
 |
| Rust | rampart-rust |
 |
| Adapter | Package | Registry |
|---|---|---|
| Web (vanilla JS/TS) | @rampart-auth/web |
 |
| React | @rampart-auth/react |
 |
| Next.js | @rampart-auth/nextjs |
 |
| React Native | @rampart-auth/react-native |
 |
| Flutter | rampart_flutter |
 |
| Swift/iOS | Rampart |
 |
| Kotlin | com.rampart |
|
git clone https://github.com/manimovassagh/rampart.git
cd rampart
docker compose up -d --buildAdmin console: http://localhost:8080/admin/
go build ./cmd/rampart
./rampart# OIDC discovery
curl http://localhost:8080/.well-known/openid-configuration
# Register a user
curl -X POST http://localhost:8080/register \
-H 'Content-Type: application/json' \
-d '{"email": "user@example.com", "password": "S3cure!Pass"}'
# Login and receive tokens
curl -X POST http://localhost:8080/login \
-H 'Content-Type: application/json' \
-d '{"email": "user@example.com", "password": "S3cure!Pass"}'The cookbook/ directory contains a working integration example for every adapter:
| Sample | Stack | Description |
|---|---|---|
| express-backend | Node + Express | JWT verification via @rampart-auth/node |
| go-backend | Go + net/http | JWT verification via Rampart Go middleware |
| fastapi-backend | Python + FastAPI | JWT verification via rampart-python |
| spring-backend | Java + Spring Boot | Spring Security OAuth2 Resource Server |
| dotnet-backend | C# + ASP.NET Core | JWT Bearer via Rampart.AspNetCore |
| react-app | React | SPA with auth, routing, and RBAC |
| web-frontend | Vanilla TS | OAuth PKCE flow via @rampart-auth/web |
| ruby-backend | Ruby + Sinatra | JWT verification via rampart-ruby |
| php-backend | PHP + Laravel | JWT verification via rampart/laravel |
| rust-backend | Rust + Actix Web | JWT verification via rampart-rust |
Rampart is a self-contained identity server built on proven foundations:
- Go -- single statically-linked binary, no runtime dependencies
- PostgreSQL -- sole data store for users, sessions, clients, and keys
- RS256 JWT -- asymmetric signing with automatic key generation and JWKS publishing
- Server-side admin UI -- Go templates, htmx, Tailwind CSS -- no separate SPA to deploy
No Redis. No message brokers. No external caches. One binary, one database.
Rampart is continuously pentested and security-audited to stay ahead of emerging threats. We run automated and manual security assessments on every release, covering the core server, all 15 adapters, cookbook samples, CI/CD pipelines, and deployment configurations.
Security-first design:
- PKCE mandatory on all public OAuth clients
- Refresh token rotation with automatic reuse detection
- Per-endpoint rate limiting (login, register, token)
- HSTS, secure cookies, and CSRF protection
- Encryption at rest for secrets and signing keys (AES-256-GCM)
- Argon2id password hashing with OWASP-recommended parameters
- Constant-time comparison for all security-critical operations
- HMAC-signed webhook payloads with SSRF-safe delivery
Continuous security assurance:
- Automated security scanning via gosec and govulncheck in CI
- Regular penetration testing across authentication, OAuth flows, session management, and access control
- Source code audits covering injection, race conditions, cryptography, and protocol compliance
- Adapter and SDK security reviews for all supported languages
- Supply chain dependency scanning across Go, Node.js, Python, Java, .NET, Rust, and PHP
We believe security is not a feature -- it's a process. Every finding is tracked, triaged, and resolved transparently via GitHub Issues.
Report vulnerabilities to security@rampart.dev or open a GitHub Security Advisory.
Rampart is designed for the AI-first development era. Every adapter can be implemented by AI coding assistants in under 30 seconds.
- AI Integration Skill --
.github/copilot-instructions.mdprovides decision trees, minimal code patterns, and common pitfalls for Claude, Copilot, Cursor, and Windsurf - Copy-paste Quick Start -- every adapter README contains working code that AI assistants can paste directly into your project
- Consistent API -- all 8 backend adapters share the same JWT claims structure and error format, so switching stacks requires zero auth redesign
- Typed SDKs -- TypeScript, Go structs, Python dataclasses, C# classes, and Java POJOs provide full autocomplete and type safety in any AI-assisted IDE
# Ask any AI assistant:
"Add Rampart authentication to my Express app"
"Protect my FastAPI endpoints with Rampart JWT verification"
"Set up OAuth PKCE login in my React app with Rampart"
go test ./... # Run all tests
golangci-lint run # Lint
make check # Full quality gate (lint + vet + test + security)CI runs on every push: build, test, lint, security scanning, Docker build, and documentation deployment.
Contributions are welcome. See CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch
- Submit a Pull Request
Rampart is licensed under the GNU Affero General Public License v3.0.
Full documentation at manimovassagh.github.io/rampart