Melody Auth is turnkey OAuth & authentication system that can be seamlessly deployed on Cloudflare’s infrastructure, utilizing Workers, D1, and KV, or self-hosted with Node.js, Redis, and PostgreSQL. It provides a robust and user-friendly solution for implementing and hosting your own oauth and authentication system with minimal configuration required.
Server Setup (Cloudflare)
Server Setup (Node)
Mailer Setup
SMS Setup
Configurations
- Deploy the entire system within minutes, either using Cloudflare’s infrastructure or self-hosted with Node.js, Redis, and PostgreSQL.
- Minimize DevOps overhead by leveraging Cloudflare, or maintain full control with a self-hosted solution.
- Full access to the source code for customization and scalability.
- Web interface for managing apps, users, scopes, and roles
- Serves as a simple implementation example using the React SDK and Server-to-Server REST API
- Secure communication channel for backend services using client credentials token exchange flow
- Provides functionalities for managing apps, users, scopes, and roles with scope protection
- Enables smooth integration between React applications and the authentication server
- Implements Proof Key for Code Exchange (PKCE) for enhanced security
- OAuth 2.0:
- Authorize
- Token Exchange
- Refresh Token Revoke
- App Consent
- App Scopes
- User Info Retrieval
- openid-configuration
- Authorization:
- Sign-In
- Sign-Up
- Sign-Out
- Email Verification
- Password Reset
- Role-Based Access Control (RBAC)
- Localization How to support a new locale
- Social Sign-In:
- Google Sign-In
- Facebook Sign-In
- GitHub Sign-In
- Multi-Factor Authentication How to setup MFA:
- Email MFA
- OTP MFA
- SMS MFA
- MFA Enrollment
- Policy How to trigger a different policy
- sign_in_or_sign_up
- change_password
- change_email
- reset_mfa
- Mailer Option:
- SendGrid
- Mailgun
- Brevo
- STMP (Node.js environment only)
- SMS Option:
- Twilio
- JWT Authentication:
- RSA256 based JWT Authentication How to verify a SPA access token
- JWT Secret Rotate How to rotate JWT secret
- Brute-force Protection:
- Log in attempts
- Password reset attempts
- OTP MFA attempts
- SMS MFA attempts
- Email MFA attempts
- Change Email attempts
- Logging:
- Email Logs
- SMS Logs
- Sign-in Logs
- S2S REST API & Admin Panel:
- Manage Users
- Manage Apps
- Manage Scopes
- Manage Roles
- View Logs
- Localization
Authorization Screenshots
Admin Panel Screenshots
This project is licensed under the MIT License. See the LICENSE file for details.