Introduction
Vaultaris is an open-source, enterprise-grade Identity and Access Management platform written in Rust — a self-hostable alternative to Keycloak and Auth0.
What is Vaultaris?
Vaultaris is a self-hosted IAM platform built in Rust by Vaultaris. It gives your organization full control over authentication and authorization without depending on third-party SaaS providers.
Think of it as the Rust-native alternative to Keycloak, Auth0, or Okta — but smaller, faster, and fully auditable.
Key features
- OAuth 2.0 & OpenID Connect — full spec-compliant authorization server with authorization code + PKCE, client credentials, and password flows
- DPoP sender-constrained tokens — RFC 9449 support; tokens are cryptographically bound to the client's key pair, preventing token replay attacks
- Multi-tenancy — isolate organizations within a single deployment; each tenant has its own users, roles, groups, applications, and email templates
- Fine-grained permissions — role-based access control (RBAC) with composite roles and group-scoped overrides, plus attribute-based access control (ABAC) policies with deny-override
- WebAuthn / Passkeys — full FIDO2 registration and authentication flows with sign-counter validation and credential management
- Email templates — per-tenant and per-application transactional email templates (password reset, MFA, invite, freeze notifications) editable from the dashboard; five email providers supported (SMTP, SendGrid, Mailgun, AWS SES, Brevo)
- Device fingerprinting — browser fingerprint + user-agent tracking for every device; trust, revoke, and inspect session history per device from the dashboard
- Freeze / Unfreeze system — LIFO resource freeze on license downgrade or expiry with email notifications; FIFO unfreeze on upgrade
- Global sessions — cross-domain single sign-on without third-party cookies
- Audit log — every action produces a tamper-evident audit record with granular time-series analytics
- Plugin system — extend Vaultaris with native Rust dynamic library plugins across 12 trait categories
- Cloud billing automation — Polar.sh-native webhooks auto-provision a workload tenant on payment, link users, and sync license limits via heartbeat; non-payment triggers grace-period emails and eventual auto-freeze
- Federated deployment — multiple Vaultaris instances register with a control plane for centralized license and telemetry management; license parameters update remotely without restarts
- Production-grade defaults — rate limiting (per-IP, Redis-backed for multi-node), connection pooling, graceful shutdown, structured tracing
Architecture in one sentence
An Axum HTTP server backed by PostgreSQL, optionally Redis for distributed rate limiting, with JWT-based tokens, Argon2 password hashing, and AES-256-GCM encryption at rest.
When to use Vaultaris
| Use case | Fits? |
|---|---|
| Self-hosted SSO for internal tools |  |
| Per-tenant auth for a SaaS product | |
| Replacing Auth0 / Okta to reduce cost | |
| GDPR / data-residency requirements | |
| Custom transactional emails per tenant | |
| Device-aware session management | |
| Public cloud-managed identity (Cognito, Firebase Auth) | — |
| Hardware security module integration | Roadmap |
Getting started
The fastest path to a running server is Docker Compose. For a production setup read the Deployment guide.
Versioning
Vaultaris follows SemVer. The HTTP API is versioned under /api/v1/.