Auth Service
Self-hosted OAuth 2.1 / OIDC identity provider built on BetterAuth v1.5. Email/password auth, MFA (TOTP + passkeys), multi-app RBAC, subscription plans with feature flags, consumption tracking, and an embedded Vue 3 admin SPA.
Key features
OAuth 2.1 / OIDC
Full Authorization Code + PKCE flow, refresh tokens, JWKS endpoint, and OpenID Connect discovery document at the issuer root.
Multi-factor authentication
TOTP (two-factor) and WebAuthn passkey / YubiKey registration and authentication via BetterAuth plugins.
Multi-app RBAC
Each registered application has its own roles and permissions injected into the id_token as custom claims — no shared role namespace.
Subscription plans
Per-application subscription plans with JSON feature flags. Stripe billing integration synchronises plan status via webhooks.
Consumption tracking
Record arbitrary numeric metrics (API calls, storage, seats…) per user per application. Aggregate queries and admin reset built-in.
Admin SPA
Embedded Vue 3 admin dashboard for managing applications, users, roles, plans, and sessions — served directly by the backend.