OpenCIAM
v2.0Passkeys, device flow & adaptive auth are here

Customer identity,
without the lock-in.

OpenCIAM is the open-source platform for logging in your users — SSO, passwordless, passkeys, MFA, social login, and consent. Drop in standards-based auth in minutes. Self-host it or run it in our cloud.

Start building Star on GitHub
14.2k
GitHub stars
3.4B
logins / month
180+
contributors
Sign in to Acme
Secure
ada@acme.com
or continue with
Google
GitHub
Apple

Protected by OpenCIAM · adaptive MFA enabled

Trusted by teams securing millions of users

NorthwindAcme CloudLumenVertex PayHyperionCobalt
Everything you need

One platform for the entire identity lifecycle

From the first signup to enterprise SSO, OpenCIAM ships the building blocks of modern customer identity — secure by default, yours to extend.

Single Sign-On

One identity across every app. Full OAuth 2.1, OpenID Connect, and SAML 2.0 support with a hosted login that themes to your brand.

Passwordless & Passkeys

FIDO2/WebAuthn passkeys, magic links, email & SMS OTP, and push approval. Kill the password without killing conversion.

Adaptive MFA

Risk-based step-up authentication that reads device, geo, velocity, and behavior signals — challenge only when it matters.

Social & Enterprise login

30+ prebuilt connectors — Google, Apple, Microsoft, GitHub — plus enterprise SAML/OIDC federation and SCIM provisioning.

User management

Profiles, roles, organizations, and fine-grained permissions (RBAC + ReBAC). Self-service registration and progressive profiling.

Consent & privacy

GDPR/CCPA-ready consent management, data residency controls, audit trails, and one-click data export and erasure.

Fraud & bot defense

Credential-stuffing detection, breached-password screening, rate limiting, and bot mitigation built into every flow.

Visual auth flows

Compose login, signup, and recovery journeys with a drag-and-drop flow builder — or define them as code. No redeploys.

APIs, hooks & SDKs

Typed SDKs for every major stack, REST & GraphQL APIs, and event webhooks/actions to extend any step of the lifecycle.

Standards, not lock-in

Built on the protocols the internet runs on

No proprietary tokens, no magic black box. OpenCIAM implements the open identity standards end to end, so it interoperates with every client, gateway, and IdP you already use — and you can walk away whenever you want.

RFC 6749RFC 9700OIDC Core 1.0RFC 8628WebAuthn L3

OAuth 2.1

Authorization & token issuance

OpenID Connect

Identity & SSO layer

SAML 2.0

Enterprise federation

FIDO2 / WebAuthn

Passkeys & hardware keys

SCIM 2.0

User provisioning & sync

OAuth Device Flow

TVs, CLIs & IoT

Built for developers

Production auth in a few lines

Idiomatic SDKs, sensible defaults, and copy-paste quickstarts for every stack. PKCE, rotation, and secure cookies are handled for you — so you can focus on your product.

import { OpenCIAMProvider, useAuth } from "@openciam/react";

function App() {
  return (
    <OpenCIAMProvider domain="acme.openciam.io" clientId="...">
      <Dashboard />
    </OpenCIAMProvider>
  );
}

function Dashboard() {
  const { user, login, logout } = useAuth();

  if (!user) return <button onClick={login}>Sign in</button>;
  return <p>Welcome back, {user.name}</p>;
}
Your infrastructure, your choice

Self-host it, or let us run it

Same open-source engine either way. Start in our cloud and move on-prem later, or run it yourself from day one. No rewrites, no lock-in.

Self-hosted

Your servers, your rules.

  • Deploy with Docker, Helm, or Kubernetes
  • Runs on Postgres — no exotic dependencies
  • Air-gapped & data-residency friendly
  • Apache-2.0 — free forever, no MAU caps

Managed cloud

We run it. You ship.

  • 99.99% SLA, global edge, autoscaling
  • Zero-downtime upgrades & backups
  • SOC 2 Type II & ISO 27001 infrastructure
  • Migrate to self-host anytime — same engine
How we compare

The open alternative to closed CIAM

The same capabilities the incumbents charge a premium for — without the per-MAU billing, the data hostage situation, or the closed roadmap.

CapabilityOpenCIAMCidaasAuth0
Open source core
Self-host on your infra
Limited
No per-MAU pricing surprises
Passkeys / WebAuthn
Visual flow builder
Add-on
Consent & GDPR tooling
Add-on
Own & export your user data
Limited
Limited
Transparent roadmap
Community-driven

Comparison reflects publicly documented capabilities and is provided for general guidance. Trademarks belong to their respective owners.

Open source at the core

Auditable, forkable, community-owned

Identity is too important to be a black box. Every line of OpenCIAM is public and Apache-2.0 licensed. Read the code, file an issue, send a PR, or fork it — the roadmap is built in the open with the people who run it in production.

Star the repoRead the docs
openciam/openciam
Star

14.2k

Stars

180+

Contributors

3.2k

Forks

Apache-2.0

License

feat: WebAuthn conditional UI for passkeysmerged
feat: tenant-level data residency regionsmerged
fix: rotate refresh tokens on reuse detectionmerged

Own your customers' identity.

Ship secure login today. Self-host for free, or spin up a managed tenant in under a minute. No credit card, no MAU meter.

Start building Read the source