Identity infrastructure that answers to you, not external services.
Your authentication layer is the one thing you cannot afford to get wrong. ZenoAuth puts it under your direct control — a single 11 MB binary, one PostgreSQL database, nothing else. Built in Rust for memory safety without garbage collection pauses.
Cloud from €20/month (planned 2026) · Self-hosted €5,000/year
Most IAM solutions require a constellation of services — Redis, message queues, separate databases for sessions and tokens. ZenoAuth compiles to a single binary that's 27x smaller than Keycloak, uses a fraction of the memory, and deploys in seconds.
PostgreSQL handles everything: users, sessions, tokens, audit logs, and caching. No moving parts means fewer things that can break at 3 AM.
A modern admin dashboard built with Next.js 15 and React 19. Manage users, OAuth clients, analytics, audit logs, and SSO providers from a single interface.
Full standards implementation with every flow you need. Authorization code with PKCE, Pushed Authorization Requests (RFC 9126), Dynamic Client Registration (RFC 7591), token introspection, revocation, and JWKS discovery.
Enterprise user and group provisioning with nested groups support. Receive users from Okta, Azure AD, and Google Workspace (inbound). Push users and group structures to Slack, ServiceNow, and other SCIM-compatible systems (outbound).
Multiple MFA methods to match your security posture: TOTP, WebAuthn/Passkeys (FIDO2), SMS and email OTP, and magic link passwordless login. Group-level enforcement policies ensure compliance.
Fine-grained Role-Based Access Control with role inheritance, custom permissions (resource:action format), and organization-scoped isolation. Assign roles to individual users or entire groups.
The first lightweight, self-hosted IAM with native W3C Verifiable Credential support. Issue, verify, and revoke SD-JWT credentials — OID4VCI and OID4VP in the same binary. No other self-hosted IAM platform offers both.
Issue W3C Verifiable Credentials in SD-JWT format (RFC 9901) via OID4VCI 1.0. Selective disclosure lets users reveal only the claims they choose. Authorization code and pre-authorized flows.
Accept credentials from digital wallets via OID4VP 1.0. did:web resolution, trusted issuer registries, and automatic claims-to-RBAC mapping. Wallet-based authentication alongside passwords, SSO, and passkeys.
When HR provisions a user via SCIM, ZenoAuth automatically generates a credential offer. The user picks it up in their wallet — zero manual steps. Enterprise identity automation.
Per-organization issuer DIDs, invitation-based trust, and credential-augmented RBAC. Map external credential claims to internal roles and groups automatically. No SAML XML required.
EU eIDAS 2.0 ready. OID4VCI 1.0, OID4VP 1.0, SD-JWT (RFC 9901), Bitstring Status Lists, DCQL, and did:web — the standards required for the EU Digital Identity Wallet mandate (December 2026).
Zero standing privileges. Cryptographic proof of every elevation. ZenoAuth is the only self-hosted IAM that combines identity management with privileged access control — no CyberArk, no BeyondTrust, no second product required.
No one holds permanent admin access. Users request elevated roles with justification and duration. Privileges auto-expire — no stale superadmin accounts left behind.
Configurable approval policies per role. Manual review, conditional auto-approval for trusted patterns, or NIST assurance-gated elevation that requires MFA before granting access.
P1 at 3 AM? On-call engineers get immediate superadmin access with enhanced audit logging, mandatory post-incident review, and automatic security team notification.
Approved elevations produce signed SD-JWT credentials. Resource servers verify privileges locally — no callback to ZenoAuth. Portable, offline-verifiable, instantly revocable via status lists.
Category of one. CyberArk and BeyondTrust sell PIM starting at $70/user/month — separate from your IAM. ZenoAuth ships PIM inside the same 11 MB binary, at a flat €5,000/year. No per-user fees. No second product.
Where it matters: operational simplicity, resource efficiency, and total cost.
| ZenoAuth | Keycloak | Auth0 | Okta | |
|---|---|---|---|---|
| Deployment size | 11 MB binary | 300+ MB | SaaS only | SaaS only |
| Memory usage | ~50 MB | 500+ MB | N/A | N/A |
| External dependencies | PostgreSQL only | DB + Infinispan + more | N/A | N/A |
| SCIM v2 provisioning | Included (bidirectional) | Via plugin | Enterprise tier | Extra cost |
| Verifiable Credentials | Native (OID4VCI + OID4VP) | OID4VCI only | Not available | Not available |
| Privileged Identity Management | Built-in (JIT + VC tokens) | No | No | No |
| Self-hosted option | €5,000/year | Free (complex ops) | No | No |
| Cost at 1,000 users | €95/mo | Free (ops cost) | ~$500–1,500/mo | ~$2,000+/mo |
| Language / memory safety | Rust | Java | N/A | N/A |
| Time to production | Minutes (Docker) | Hours to days | Minutes | Minutes |
You can't control the threats. You can control the gate.
Ed25519 for JWT signatures, Argon2id for password hashing. Automatic key rotation with grace periods, cluster-aware propagation across HA instances, and emergency revocation.
Every request verified, every token validated. Built-in rate limiting, brute force protection, and comprehensive audit logging.
Every authentication event, configuration change, and admin action is logged with correlation IDs for incident analysis.
GDPR data export and deletion with grace periods. SOC2 audit capabilities. Configurable retention policies and consent management.
Deploy ZenoAuth in minutes. Start with a free trial or talk to our team about the right deployment for you.