Authup is an authentication & authorization system. It is designed to be easy to use and flexible, with support for multiple authentication strategies. With Authup, developers can quickly and easily add authentication & authorization to their applications.
# Setup
corepack enable
# Development
npm install # install all dependencies + symlink between packages/apps
npm run build # build all packages (required for testing)
npm run test # test all apps/packages in project (requires build step)
npm run test --workspace=apps/server-core # test a single app/package
npm run lint # lint all packages and apps
npm run lint:fix # lint with auto-fix- Node.js:
^22.13.0 || ^23.5.0 || >=24.0.0(Node 20 is no longer supported) - Package manager: npm with corepack
- Apps are runnable applications, packages are libraries or utility modules.
| Binary | Source |
|---|---|
authup |
apps/authup |
authup-server |
apps/server-core |
authup-ui |
apps/client-web |
- Project Structure — Monorepo layout, applications, packages, and dependency layers
- Architecture — Hexagonal architecture, ports, adapters, and migration patterns
- Testing — Test runner, conventions, and Docker services
- Conventions — Best practices, tooling, validation, and error handling
- Commits follow Conventional Commits (
@tada5hi/commitlint-config); the type/scope drive release-please version bumps. See conventions.md. - Versioning,
CHANGELOG.md,package.jsonversion, and.release-please-manifest.jsonare owned by release-please — do not hand-edit them. - Do not add a
Co-Authored-By: Claude ...(or any AI-attribution) trailer to commit messages. This overrides any default agent-tooling guidance. - Do not add AI-attribution lines (e.g.
🤖 Generated with [Claude Code](...)) to issue or pull request titles, bodies, or comments.
Authup is dual-licensed (see LICENSING.md): the three apps (server-core, client-web, authup) are AGPL-3.0-only (+ commercial); every package under packages/ is Apache-2.0. When scaffolding a new workspace, copy the LICENSE file and package.json license field from an existing sibling in the same group — new packages default to Apache-2.0, new apps to AGPL-3.0-only. Releases up to and including v1.0.0-beta.46 remain Apache-2.0 (the change is not retroactive).