The Logic of Access

Identity infrastructure that answers to you, not external services.

Your authentication layer is the one thing you cannot afford to get wrong. ZenoAuth puts it under your direct control — a single 11 MB binary, one PostgreSQL database, nothing else. Built in Rust for memory safety without garbage collection pauses.

Start Free Trial View Pricing

Cloud from €20/month (planned 2026) · Self-hosted €5,000/year

ZenoAuth Admin Dashboard showing system metrics, health status, and recent activity
11 MB Single binary
~50 MB Memory footprint
157+ API endpoints
1 External dependency

One Binary. Complete Control.

Most IAM solutions require a constellation of services — Redis, message queues, separate databases for sessions and tokens. ZenoAuth compiles to a single binary that's 27x smaller than Keycloak, uses a fraction of the memory, and deploys in seconds.

PostgreSQL handles everything: users, sessions, tokens, audit logs, and caching. No moving parts means fewer things that can break at 3 AM.

11 MB vs 300+ MB (Keycloak)
~50 MB vs 500+ MB RAM
0 GC pauses (Rust)
ZenoAuth Architecture: single binary with PostgreSQL

See It in Action

A modern admin dashboard built with Next.js 15 and React 19. Manage users, OAuth clients, analytics, audit logs, and SSO providers from a single interface.

ZenoAuth Analytics Dashboard showing user activity charts, OAuth metrics, and security data

See All Features

Complete OAuth 2.0 & OpenID Connect

Full standards implementation with every flow you need. Authorization code with PKCE, Pushed Authorization Requests (RFC 9126), Dynamic Client Registration (RFC 7591), token introspection, revocation, and JWKS discovery.

Pushed Authorization Request
# Push authorization parameters server-side POST /oauth/par Authorization: Basic base64(client_id:secret) { "response_type": "code", "redirect_uri": "https://app.com/callback", "scope": "openid profile", "code_challenge_method": "S256" }
OAuth client management interface showing registered applications

Bidirectional SCIM v2 Provisioning

Enterprise user and group provisioning with nested groups support. Receive users from Okta, Azure AD, and Google Workspace (inbound). Push users and group structures to Slack, ServiceNow, and other SCIM-compatible systems (outbound).

  • Nested groups with transitive membership resolution
  • Event-driven and scheduled bidirectional sync
  • Custom attribute mapping rules
  • RFC 7643/7644 compliant
User management showing accounts, roles, MFA status, and login history

Multi-Factor Authentication

Multiple MFA methods to match your security posture: TOTP, WebAuthn/Passkeys (FIDO2), SMS and email OTP, and magic link passwordless login. Group-level enforcement policies ensure compliance.

Hierarchical RBAC

Fine-grained Role-Based Access Control with role inheritance, custom permissions (resource:action format), and organization-scoped isolation. Assign roles to individual users or entire groups.

NEW

Verifiable Credentials. Native.

The first lightweight, self-hosted IAM with native W3C Verifiable Credential support. Issue, verify, and revoke SD-JWT credentials — OID4VCI and OID4VP in the same binary. No other self-hosted IAM platform offers both.

Issue SD-JWT Credentials

Issue W3C Verifiable Credentials in SD-JWT format (RFC 9901) via OID4VCI 1.0. Selective disclosure lets users reveal only the claims they choose. Authorization code and pre-authorized flows.

Verify Wallet Presentations

Accept credentials from digital wallets via OID4VP 1.0. did:web resolution, trusted issuer registries, and automatic claims-to-RBAC mapping. Wallet-based authentication alongside passwords, SSO, and passkeys.

SCIM-to-VC Pipeline

When HR provisions a user via SCIM, ZenoAuth automatically generates a credential offer. The user picks it up in their wallet — zero manual steps. Enterprise identity automation.

Cross-Org Federation

Per-organization issuer DIDs, invitation-based trust, and credential-augmented RBAC. Map external credential claims to internal roles and groups automatically. No SAML XML required.

Credential Types management showing vc+sd-jwt formats, claims schemas, and active status
Issued Credentials table with active, revoked, and expired status badges

EU eIDAS 2.0 ready. OID4VCI 1.0, OID4VP 1.0, SD-JWT (RFC 9901), Bitstring Status Lists, DCQL, and did:web — the standards required for the EU Digital Identity Wallet mandate (December 2026).

How ZenoAuth Compares

Where it matters: operational simplicity, resource efficiency, and total cost.

ZenoAuth Keycloak Auth0 Okta
Deployment size 11 MB binary 300+ MB SaaS only SaaS only
Memory usage ~50 MB 500+ MB N/A N/A
External dependencies PostgreSQL only DB + Infinispan + more N/A N/A
SCIM v2 provisioning Included (bidirectional) Via plugin Enterprise tier Extra cost
Verifiable Credentials Native (OID4VCI + OID4VP) OID4VCI only Not available Not available
Self-hosted option €5,000/year Free (complex ops) No No
Cost at 1,000 users €95/mo Free (ops cost) ~$500–1,500/mo ~$2,000+/mo
Language / memory safety Rust Java N/A N/A
Time to production Minutes (Docker) Hours to days Minutes Minutes

Security Built on Logic, Not Fear

You can't control the threats. You can control the gate.

Modern Cryptography

Ed25519 for JWT signatures, Argon2 for password hashing. Key rotation with grace periods and emergency revocation.

Zero-Trust Architecture

Every request verified, every token validated. Built-in rate limiting, brute force protection, and comprehensive audit logging.

Complete Audit Trail

Every authentication event, configuration change, and admin action is logged with correlation IDs for incident analysis.

Compliance Ready

GDPR data export and deletion with grace periods. SOC2 audit capabilities. Configurable retention policies and consent management.

Security Documentation

Take Control of Your Authentication Infrastructure

Deploy ZenoAuth in minutes. Start with a free trial or talk to our team about the right deployment for you.

Start Free Trial Contact Sales