Enterprise-grade Identity and Access Management for modern SaaS applications.

Cerberus IAM delivers the complete identity infrastructure your product needs without building it from scratch. We provide secure authentication, fine-grained authorization, multi-tenant user directories, and standards-compliant OAuth 2.1/OpenID Connect—all built with TypeScript and designed for production.

Identity and access management shouldn't be something every team has to build from the ground up. Cerberus IAM gives you the foundational identity layer so you can focus on your product.

Authentication

• Email/password authentication with Argon2id hashing
• Session management with secure cookies and refresh token rotation
• Password reset and email verification flows
• Device and session controls with reuse detection
• Multi-factor authentication (TOTP) — in development

User Directory

• Multi-tenant organizations with complete data isolation
• Users, teams, roles, and hierarchical permissions
• Team-based grouping and access control
• Comprehensive audit logs for compliance
• Built on PostgreSQL with Prisma ORM

OAuth 2.1 & OpenID Connect

• Full authorization server implementation
• Authorization code flow with PKCE
• Discovery, JWKS, token, userinfo, introspection, and revocation endpoints
• Standards-compliant responses (RFC 6749, RFC 7662, RFC 7009, RFC 7517)
• OAuth2 client management with secret rotation

Authorization

• Role-Based Access Control (RBAC) with fine-grained permissions
• Organization-level and team-level isolation
• Permission wildcards for flexible policy definitions
• Effective permission computation for policy enforcement
• API key authentication for programmatic access

Admin Console

• Web-based admin interface for tenant operators
• User, team, and role management
• OAuth2 client administration
• Session monitoring and control
• Audit log browsing
• Modern UI with dark mode support

Developer Experience

• TypeScript-first with comprehensive types
• RESTful API with OpenAPI documentation
• Zod schema validation
• Result pattern for error handling
• Extensive test coverage (unit, integration, e2e)

Security by Default

• Argon2id password hashing
• CSRF protection and rate limiting
• HTTP-only secure cookies
• Helmet.js security headers
• Encrypted secret storage
• Comprehensive audit trails

Standards Compliant

• OAuth 2.1 authorization server
• OpenID Connect 1.0 identity provider
• PKCE required by default
• Industry-standard token formats and flows

Production Ready

• Multi-tenant architecture with tenant isolation
• Structured logging with Pino
• OpenTelemetry readiness
• Docker containerization
• Database migrations with Prisma
• Comprehensive test suites

Modern Stack

• TypeScript 5 throughout
• Node.js + Express.js for the API
• Next.js + React for admin console
• PostgreSQL for data persistence
• Railway-ready deployment

Cerberus IAM is under active development. Core authentication, authorization, and user management features are functional and tested. The platform is suitable for development and evaluation but should undergo security review before production deployment.

Currently Available:

• Multi-tenant user directory with RBAC
• Email/password authentication
• Session management with secure cookies
• OAuth2/OIDC provider (authorization code + PKCE)
• Admin console for user/team/client management
• API key authentication
• PostgreSQL with migrations
• Comprehensive test suites

In Development:

• User-facing authentication portal
• Multi-factor authentication (TOTP)
• Social login providers (Google, GitHub)
• Webhook notifications
• Advanced RBAC policy engine

Explore our repositories to get started:

• api — Core IAM API and OAuth2/OIDC provider
• app — Admin console web application
• web — User-facing authentication portal

Each repository contains detailed setup instructions, documentation, and examples.

We welcome contributions, feedback, and collaboration!

• Documentation: Visit our comprehensive docs for API references, architecture guides, and deployment instructions
• Issues: Report bugs and request features in the respective repository
• Security: See SECURITY.md in each repository for responsible disclosure
• Code of Conduct: We maintain a welcoming, inclusive community — see CODE_OF_CONDUCT.md

Secure identity should be attainable for every product team. Cerberus IAM is built with the belief that identity infrastructure should be:

• Secure by default — Best practices baked in, not bolted on
• Standards-compliant — OAuth 2.1, OIDC, and industry standards
• Developer-friendly — TypeScript, great docs, and excellent DX
• Production-ready — Multi-tenant, scalable, and observable

Built with ❤️ by Jerome Thayananthajothy