Skip to content
Parako.ID
Parako.ID identity hub connecting web, mobile, backend, and IoT clients via OIDC and OAuth flows

Parako.ID — Self-hosted identity provider

Your auth server. Self-hosted. Free. A standards-compliant OpenID Connect & OAuth 2.0 identity provider you deploy on your own infrastructure — with SSO, MFA, passkeys, social login, and multi-tenancy out of the box.
Quickstart How it integrates Source on GitHub

Built on OpenID Certified base

MIT licensed, open source

Self-hosted on your infrastructure

TypeScript & Node.js

10+Locales out of the box
5Social login providers
4MFA methods
3Database adapters
30Scoped API permissions

Why Parako.ID

An identity layer you actually own.

Self-hosted, zero per-user fees

Run on a single VPS or scale across regions. No license keys, no seat counts, no usage caps — your data stays in your network.

Standards-compliant by default

Built on the OpenID Certified node-oidc-provider library. OAuth 2.0, OIDC Core, PKCE, DPoP, mTLS, Device Flow, CIBA, FAPI 1.0 / 2.0 — all inherited.

Batteries included

Admin panel, CLI, Management API, multi-tenancy, social login, password breach detection, MFA, account recovery, 10-locale i18n — in the box.

Bring your own database

SQLite by default for zero-setup. Switch to MongoDB or PostgreSQL for production without changing your application code.

Documentation

Find what you need.

Getting Started Install Parako.ID, run your first instance, and create an admin account in minutes.
Authentication Password policies, MFA, social login, OIDC clients, endpoints, and security model.
Architecture Multi-source configuration, multi-database support, and per-tenant isolation.
Guides Admin panel, CLI tools, application integration, email & SMS, and per-tenant branding.
Operations Deployment with PM2 / systemd / nginx, Litestream backups, version upgrades, troubleshooting.
Management API Programmatic administration through a scoped REST API — manage users, clients, sessions, and settings.

Quickstart

Run a Parako.ID instance in under two minutes.

Clone, install, run.

The default SQLite adapter requires no external services. Open http://localhost:9007/auth/register and create your first admin account.

Read the full quickstart →

Terminal window
git clone https://github.com/Dahkenangnon/Parako.ID
cd Parako.ID
yarn install
cp .env.example .env
yarn keys generate
yarn db:push
yarn dev

Capabilities

A pragmatic feature set, not a checkbox marathon.

Single Sign-On — OAuth 2.0 + OIDC, authorization code, refresh, client credentials, device, CIBA grants
Multi-Factor Authentication — TOTP, email OTP, SMS via Twilio, WebAuthn / FIDO2 passkeys
Social login — Google, GitHub, Microsoft, LinkedIn, Facebook
Multi-tenancy — per-tenant data isolation, branding, OIDC instances, social-login credentials
Multi-account sessions — sign in with multiple accounts and switch seamlessly
Password breach detection — Have I Been Pwned k-anonymity check
Device verification — detect new devices, require additional verification
Account recovery — backup codes, secondary email, SMS, security questions
Internationalization — 10 locales (en, fr, es, pt, de, it, ru, zh, ja, ko)
Admin panel — web UI for users, clients, sessions, keys, settings, logs
CLI tools — client registration, key rotation, version updates, systemd integration
Management API — 30 scoped permissions for programmatic administration
Prometheus metrics — built-in /metrics endpoint for monitoring

For the complete protocol-level support matrix and config paths, see Specifications.

Parako.ID by Dahkenangnon · docs source · Licensed under MIT.