Open-source, self-hosted OIDC/OAuth2 identity provider. SSO, MFA, passkeys, social login, and multi-tenancy — deployed on your own servers with zero per-user fees.
curl --proto '=https' --tlsv1.2 -fsSL https://get.parako.id | sudo bash
Design choices that put you in control of your data, your costs, and your identity infrastructure.
Flat infrastructure cost regardless of user count. Grow from 100 to 10 million without your auth bill compounding against you.
User records, sessions, signing keys, and audit logs live in your database. No third party ever processes your identity data.
Server-rendered flows — no SPA bundle before login appears. Reliable on 2G/3G links, institution Wi-Fi, and low-end devices.
Email, phone, username, employee IDs, and student matricule numbers — natively supported, no plugins or custom schemas required.
TOTP, passkeys, dynamic client registration, device flow — the full spectrum, out of the box.
One session across all apps. Authorization code + PKCE, discovery, and RP-initiated logout.
TOTP, email OTP, SMS (Twilio), backup codes, security questions, and WebAuthn/FIDO2 passkeys.
Federate with Google, GitHub, Microsoft, LinkedIn, and Facebook. PKCE-enforced on every flow.
Per-tenant data isolation, branding, and OIDC providers. Subdomain or header tenant resolution.
Web UI for users, OIDC clients, sessions, JWKS keys, activity logs, settings, and tenants.
RESTful API at /api/v1 with 30 scoped permissions via OAuth2 Client Credentials.
RFC 8628 authorization for IoT devices, TVs, and CLI tools with no embedded browser.
Argon2id hashing, configurable policy, and Have I Been Pwned k-anonymity breach detection.
Per-tenant logos, colors, fonts, and fully replaceable Nunjucks view templates.
10 locales out of the box with runtime switching and per-tenant locale configuration.
Prometheus metrics, structured Pino logging, optional file rotation, and distributed tracing.
RFC 7591 registration with initial access tokens for automated provisioning in CI/CD.
Choose the storage model that matches your stage. Switch backends by changing config — your identity flows stay the same.
Local dev · evaluation · small deployments
Single file, no external process. Zero configuration. Managed by Prisma. Single-process deployments only.
Production · multi-tenancy
Tenant-scoped queries via a global Mongoose plugin. Supports horizontal scaling, replica sets, and optional Redis for OIDC ephemeral storage.
Production · row-level security
Prisma-managed with RLS policies enforcing tenant isolation at the database level. Full migration support.
Run a complete identity platform for multiple organizations from a single deployment. Tenants resolve by subdomain or header — each gets its own isolated world.
_platforms master realm with
cross-tenant management
One command on any Linux host. Verifies the release via Sigstore,
stages files under /opt/parako-id/, and prints your next steps.
Or run from source for local development: