Melody Auth

Melody Auth is a user-friendly, robust solution for implementing and hosting your own OAuth and authentication system.

Deploy to Cloudflare using Workers, D1, and KV in just minutes — minimizing infrastructure and DevOps overhead.
Self-Host with Node.js, Redis, and PostgreSQL — giving you full control over your data and infrastructure.

Disclaimer All French translations provided in this project have been generated by AI. Please review them carefully for accuracy before use.

What's included?

OAuth & Authentication Server [Setup] [Config]
Server-to-Server REST API for backend integrations [Setup] [Swagger]
Admin Panel for managing resources (also serves as a full-stack implementation example) [Setup]
React/Angular/Vue/Web SDK to seamlessly integrate PKCE-based authentication into your frontend application.
- react-sdk [Package] [Doc]
- angular-sdk [Package] [Doc]
- vue-sdk [Package] [Doc]
- web-sdk [Package] [Doc]
Embedded Auth API for embedding authentication flows directly within your application. [Setup] [Swagger]

OAuth 2.0:
- Authorize
- Token Exchange
- Refresh Token Revoke
- App Consent
- App Scopes
- User Info Retrieval
- OpenID Configuration
Authorization:
- Sign-In
- Passwordless Sign-In
- Sign-Up
- Sign-Out
- Email Verification
- Password Reset
- Role-Based Access Control
- User Attribute
- Account Linking
- Localization
External Identity Providers:
- Social Sign-In
  - Google Sign-In
  - Facebook Sign-In
  - GitHub Sign-In
  - Discord Sign-In
  - Apple Sign-In
- OIDC Auth Provider Sign-In
- SAML SSO Sign-In (Node.js environment only)
Multi-Factor Authentication
- Email MFA
- OTP MFA
- SMS MFA
- MFA Self Enrollment
- Passkey Enrollment
- Recovery Code
- Remember Device for 30 days
Policy
- sign_in_or_sign_up
- update_info
- change_password
- change_email
- reset_mfa
- manage_passkey
- manage_recovery_code
- saml_sso_[idp_name]
- oidc_sso_[provider_name]
Organization:
Mailer Option
- SendGrid
- Mailgun
- Brevo
- Resend
- Postmark
- SMTP (Node.js environment only)
SMS Option
- Twilio
JWT Authentication
- RSA256 based JWT Authentication
- JWT Secret Rotate
Brute-force Protection:
- Log in attempts
- Password reset attempts
- OTP MFA attempts
- SMS MFA attempts
- Email MFA attempts
- Change Email attempts
Logging:
- Logger Level
- Email Logs
- SMS Logs
- Sign-in Logs

This project is licensed under the MIT License. See the LICENSE file for details.