Skip to content

authgear-server

Secrets & Credentials

Open source authentication platform that serves as an alternative to Auth0, Clerk, and Firebase Auth

Track releases GitHub Website
Go Latest 2026-05-06.0 · 28d ago Security brief →

Features

  • Passwordless login via magic links or OTP (Email, SMS, WhatsApp)
  • Support for Passkeys and biometric login on mobile devices
  • Comprehensive MFA options including TOTP, SMS, Email, and adaptive policies
  • Pre‑built signup/login and account settings pages with theming support

Recent releases

View all 5 releases →
2026-05-06.0 New feature
Notable features
  • Fraud Protection screen (alpha) for blocking signup/login abuse without code
  • Site-wide Admin Portal for usage monitoring and project management
Full changelog

Highlights

Fraud Protection in the Portal (alpha). A new Fraud Protection screen lets you block abuse on signup and login flows without writing code. This is an alpha release behind a feature flag, enabled for selected projects only.

Site Admin Portal. A new site-wide admin view for monitoring usage and managing projects across your Authgear deployment.

Other changes

  • AuthUI translation overrides for the account selector and magic-link verification pages can now reference {AppName} and {ClientName}.
  • Email alerts when a project hits its SMS usage limit.
  • The Portal's Add User screen now uses the standard country-code phone input.
  • Fixed: OTP form double-submitting on fast typing in Safari.
  • Fixed: stale Admin API documentation link in the Portal.
View release on GitHub
2026-04-21.0 Mixed
Security fixes
  • Authflow cooldowns now session-scoped — closes abuse vector where users changed phone or email mid-flow to reset OTP cooldowns
Notable features
  • Usage alerts with email + usage.alert.triggered webhook before hard caps
  • Non-ASCII sender names in custom SMTP
  • Portal: Endpoint field now shows for OIDC and SAML app types
Full changelog

Highlights

  • Usage alerts for project owners. Set soft limits on your Authgear usage and get alerted before you hit a hard cap. When a threshold is crossed, Authgear emails the project owner and fires a usage.alert.triggered webhook. Catch runaway SMS, email, or MAU costs before they become billing surprises.
  • Authflow session-scoped cooldowns. Cooldowns on OTP retries used to reset when users changed the target phone number or email mid-flow. Now the cooldown sticks to the whole authflow session. Closes a real abuse vector.
  • Non-ASCII sender names in custom SMTP. Custom SMTP now accepts sender names in Chinese, Japanese, and other non-Latin scripts.
  • Smaller portal improvements. Clearer social login setup flow. The Endpoint field now shows up for OIDC and SAML app types, not just OAuth.
View release on GitHub
2026-03-17.0 New feature
Breaking changes
  • Legacy v1 Auth UI removed
Notable features
  • Customizable welcome email templates
  • Customizable admin-triggered password email templates
  • Error tracking IDs on error pages
View release on GitHub
2026-01-08.0 New feature
Notable features
  • Account valid period configuration
  • IP blocklist support
  • Temporary access tokens for Admin API
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
1,806
Forks
114
Languages
Go HTML TypeScript
View on GitHub Homepage Live demo Documentation

Community & Support

Discord

Similar tools

logto
keycloak
authentik
melody-auth
2FAuth

Alternative to

Auth0 Clerk Firebase Auth

Beta — feedback welcome: [email protected]