Vendidit Auth
What is this?
Vendidit Auth is one Go identity service plus a family of consumer SDKs that let any browser app or backend service authenticate against it. Tokens are short-lived HS256 JWTs that downstream services verify locally — no per-request network hop on the hot path.
Nine packages, four runtimes, one wire contract.
The Go identity service. Owns users, orgs, roles, sessions, JWT signing. Single source of truth.
Source-only TS package — JWT claims, principals, wire DTOs, error codes. Mirrors the server’s wire shape.
Browser SDK — login, refresh-rotation, SSO/PKCE, 2FA, magic links. Framework adapters for React, Preact, Solid, Vue, Astro.
Live integration reference at auth-demo.vendidit.com. 45 catalog pages plus full auth routes.
Framework-agnostic TS backend core. AuthClient facade, Flows, JwtValidator, HttpTransport, typed exception hierarchy.
NestJS adapter — module, guards, decorators. Wraps auth-server-ts. Ships Axios + Redis adapters out of the box.
Framework-agnostic PHP 8.1+ core. PSR-18 transport, PSR-16 cache, PSR-3 logger. Mirrors auth-server-ts.
Pick your path
Hosted services
| URL | What it is |
|---|---|
new-auth.vendidit.com | Production auth-server (Go). API base: /api/v1. Health: /health. |
auth-demo.vendidit.com | Live demo + visual feature catalog. Every atom, form, and flow the browser SDK ships has a working page. |
Highlights
- Local-first JWT validation — every backend SDK verifies HS256 signatures against a shared secret. Validation is microseconds, not milliseconds.
- Refresh-token rotation with reuse detection — RFC 6819 §5.2.2.3 family revoke.
- Pluggable transport / cache / session ports — every adapter is swap-in-able.
- Multi-tenant orgs + app scoping — token claims carry
org_id,app_id, and the union of role-derived permissions for that app’s services. - 15-class typed exception hierarchy — same names in TS and PHP.
- Symmetric design —
auth-server-tsandauth-server-phpmirror each other directory-for-directory.