v0.1.7 RBAC · ABAC · Multi-tenant · OAuth 2.0 / OIDC · DPoP →

Identity infrastructure,
reimagined.

Vaultaris is a self-hosted IAM server built in Rust. OAuth 2.0 & OIDC compliant, multi-tenant, fine-grained RBAC + ABAC, WebAuthn, device fingerprinting, per-tenant email templates, and a full audit trail — in a single binary under 50 MB.

Open dashboard →Sign in Read the docs

self-host or cloudp99 < 4ms · token verify~50 MB binaryDPoP · RFC 9449multi-tenant · by design

rbac-graph · tenant=acme-prodlive

∎user=usr_01HQ3X7MN→role=admin· scope=users:write

∎ allowtenant=acmesig=ed25519p99=3.9ms

tenants 12users 4,821evals/s 200kdevices fp'd

Trusted in production by

NOT ANOTHER IAM

Sits where Stripe sits. Not where Keycloak sat.

Vaultaris is the foundational layer you build on top of, not alongside. Same altitude as payments, edge, and deploys — the infra you wire once and stop thinking about.

LEGACY IAM 2008–present

Bolted-on auth. JVM under the hood. Config via UI. Latency a liability.

JVM runtime · 2 GB min per nodememory
Shared HMAC secrets over the wirekeys
Policy latency grows with org sizeeval
Best-effort JSON logs, no replayaudit
Hardcoded email templates per provideremail
Device sessions tracked by user-agent onlydevices
Billing hooks require custom middlewarebilling
XML config, WAR deploys, quarterliesops

VAULTARIS v0.1.7 · today

Infrastructure auth. Rust binary. Config as code. Latency a guarantee.

Static Rust binary · small footprintmemory
Asymmetric keypairs + DPoP (RFC 9449), continuous rotationkeys
Constant-time policy graph evaluationeval
Every decision replayable, versioned, time-seriesaudit
Per-tenant & per-app email templates, UI-editableemail
Full device fingerprinting — trust/revoke from dashboarddevices
Built-in cloud billing · auto-provision on paymentbilling
TOML config · live plan sync · ship in hoursops

THE PRIMITIVES

Platform primitives. No opinions you didn't ask for.

Vaultaris ships exactly the auth and platform primitives a staff engineer actually wants — and stops there. Multi-tenant by design, not by config. Every surface is a REST endpoint, every decision is in the audit log, every email is a template you own.

01 · CRYPTOGRAPHY

Signed by construction. Not by convention.

Every JWT is signed with ed25519 at issue and verified locally in ~1μs. No shared secrets. DPoP sender-constrained tokens (RFC 9449) ship out of the box. Keys rotate every 6h with zero downtime — old tokens keep verifying across the boundary.

subusr_01HQ3X7MNtenantacme-prodscopeusers:write, audit:readdpopjkt=sha256:9f2c… ∎ bound

sig · ed255193f2ab9c1e5748d… 6b04af29ed113c… 91ccfe8a20b4d7… 1e7a83bf05cc9d…key verk_4821 ∎ verified

02 · RBAC + ABAC

Roles as a graph. Policies as logic.

Users & groups inherit roles. ABAC policies overlay with deny-override. Evaluated per-tenant at request time.

03 · LATENCY

Predictable under load.

No GC pauses. No JVM warm-up. Granular time-series built in. Rust's async runtime keeps p99 flat at any scale.

04 · EMAIL TEMPLATES

Branded emails. Per tenant. Per app.

Every transactional email — reset, MFA, invite, freeze — is a template you own. Override per-tenant or per-application directly from the dashboard.

password_resettenant=acmeoverride

subjReset your {{ tenant.name }} password

to{{ user.email }}

var{{ reset_url }} · exp 24h

05 · DEVICE INTELLIGENCE

Every device, fingerprinted.

Browser fingerprint + UA tracking. Trust, revoke, inspect session history per device. Anomalous access surfaces instantly.

fp_8a3bc1d2…trustedChrome 124 · macOS 142m ago

fp_9f2cd8a1…activeSafari 17 · iPhone 151h ago

fp_3e7ba4f9…revokedFirefox 125 · Linux3d ago

06 · AUDIT

Every decision, replayable.

Every action — login, token issue, permission check, role change, freeze event — is written to an immutable audit log with tenant, user, IP, and latency. Compliance becomes a GET /audit, not an archaeology dig.

∎14:03:12loginusr_01HQ3…ok2.1ms

∎14:03:12token.issueusr_01HQ3…ok1.8ms

∎14:03:13permissionsvc_api01deny0.9ms

∎14:03:14freeze.applyusr_08TK2…freeze3.1ms

∎14:03:14email.sentgrace_periodok1.2ms

07 · CLOUD BILLING

Pay once. Provisioned instantly.

Built-in cloud billing. On payment, your tenant is provisioned automatically and your plan limits sync live. Non-payment triggers a grace period with email reminders before any feature is paused.

checkout→your tenant

paymentauto-provision tenant

limitssync live with your plan

overduegrace period · email reminder

expiredpaid features pause until renewal

08 · DEVELOPER EXPERIENCE

REST API-first. Your CI is a first-class user.

Every action in the admin console is also an API call. Manage tenants, roles, users, email templates, and OAuth clients programmatically. OpenAPI spec and interactive Scalar UI included at /api/v1/docs.

POST/api/v1/tenants/{id}/users201 Created3.2ms

PUT/api/v1/tenants/{id}/email-templates/{type}200 OK1.4ms

GET/api/v1/tenants/{id}/audit?action=freeze.apply200 OK2.1ms

POST/oauth/token grant_type=client_credentials200 OK1.5ms

09 · OBSERVABILITY

Production-ready. From boot.

Prometheus metrics, k8s-shape health probes, structured JSON logs, and a Scalar-rendered OpenAPI spec — wired in, not bolted on.

/metricsPrometheus

/health · /ready · /livek8s probes

structured JSON logstracing

/api/v1/docsOpenAPI

ARCHITECTURE

Four surfaces. One deterministic binary.

No agents. No sidecars. No magic. Vaultaris runs as a single Rust binary serving every token evaluation from a replayable decision graph. Switch between surfaces to see what each one does.

token issue · signed locallyevaluating

verify latency

single-digitms

shared secrets

zero

footprint

small

RECENTLY SHIPPED

Delivered. In production.

Features that shipped in the last cycles — each production-ready, spec-compliant, and covered by the audit log the day they landed. No betas. No feature flags.

securityRFC 9449

DPoP sender-constrained tokens

Tokens cryptographically bound to the client key pair via a proof-of-possession header. Replay attacks become structurally impossible.

Browser SDKWebCryptoHSM/KMS trait

platform

Email templates per-tenant & per-app

Every transactional email — reset, MFA, invite, freeze — overridable from the dashboard. Five providers. Variables auto-completed in the editor.

SMTPSESSendGridMailgunBrevo

security

Device fingerprinting

Browser fingerprint + user-agent stored per device. Trust, revoke, and inspect session history per device from the admin dashboard.

Dashboard UIAPI

billing

Cloud auto-provisioning

On the first successful payment your tenant is created and configured automatically — no manual setup, no waiting on support. Plan limits sync live and update the moment you upgrade.

Auto setupLive limitsGrace period

compliance

Freeze/Unfreeze with notifications

Graceful downgrade on license change or non-payment — paid features pause but your data is preserved. Grace-period and cancellation emails go out automatically. Everything restores on upgrade.

Grace periodEmail remindersReversible

analytics

Granular time-series analytics

Auth events, session stats, security events — queryable with configurable granularity and time ranges. Dashboard shows real trends, not just totals.

Auth statsSession statsSecurity events

3.9ms

p99 token verify

200k/s

issue per node

10×

less memory vs JVM

runtime dependencies

TRY IT NOW · SANDBOX

Spin up a private sandbox.
Yours for an hour.

Drop your email, verify a one-time code, and we provision a real Vaultaris tenant — seeded with users, groups, OAuth clients and an audit trail you can poke at. The sandbox self-destructs after 60 minutes. No credit card, no commitment.

Real backend — same binary you'd self-host
Seeded with users, groups, roles and 2 OAuth clients
Disposable domains blocked · rate-limited per IP
Auto-purged after the session expires — no data retained

LICENSING

Two ways to run Vaultaris. Pick one.

Hosted Cloud is the fastest path — we run everything for you and your tenant provisions on payment. Self-host runs the same Rust binary on your infrastructure with a lower per-month license — you bring the servers, we bring the IAM.

CLOUDManaged · zero ops

Cloud

We host everything. You log in, configure your tenant, ship. Cancel any time from the account portal.

Fully managed · 99.9% uptime target
Auto-provisioned tenant on first payment
OAuth 2.0 · OIDC · RBAC · ABAC · MFA · WebAuthn
Per-tenant email templates · 5 providers
Device fingerprinting + trust management
Audit log · time-series statistics · CSV export
Invoices & portal access from /account
Email support · Discord community

I already have an account

SELF-HOSTYour servers · your data

Self-host

Single static Rust binary on your infrastructure — no data leaves your network. Same features as Cloud at a lower monthly license cost. You bring the servers.

Single binary · ~50 MB · zero runtime dependencies
OAuth 2.0 · OIDC · SAML 2.0 · WebAuthn · Passkeys
Native plugin runtime (Rust dynamic libraries)
Multi-tenant · multi-application · K8s webhooks
Custom branding · per-tenant email templates
Online license sync · or perpetual key for air-gap
Private security advisories before public disclosure
Priority support · dedicated contact

Get a license key → Read deployment docs →

Secure checkout. Card details never touch Vaultaris servers — payment is handled by a PCI-DSS Level 1 provider. Review the full amount, taxes and renewal terms before confirming.

Non-profits, student teams and educational projects can request a discounted license. Tell us about your use case. Apply via email →

SHIP TODAY

Auth shouldn't be the hard part.
Plug it in and move on.

A single static Rust binary, a hosted Cloud option for teams that don't want to run their own infra, and a REST API your CI can drive. Replace your auth server in an afternoon — or migrate one policy at a time.