Installation
This guide covers the detailed installation and configuration process for Authrim from the source repository. For a guided deployment, use the Setup Wizard.
System Requirements
Section titled “System Requirements”| Requirement | Minimum Version |
|---|---|
| Node.js | >= 22.0.0 |
| pnpm | >= 9.0.0 |
| Git | Latest |
| Cloudflare Account | Free tier or higher |
Installation Steps
Section titled “Installation Steps”1. Clone and Install
Section titled “1. Clone and Install”# Clone the repositorygit clone https://github.com/sgrastar/authrim.gitcd authrim
# Install dependenciespnpm install
# Login to Cloudflarewrangler login2. Generate Cryptographic Keys
Section titled “2. Generate Cryptographic Keys”Generate the RSA keys used for JWT signing:
./scripts/setup-keys.shThis creates:
| File | Purpose |
|---|---|
.keys/private.pem | RSA private key for JWT signing |
.keys/public.jwk.json | Public key in JWK format |
.keys/metadata.json | Key ID and metadata |
3. Configure Environment Variables
Section titled “3. Configure Environment Variables”# Create .dev.vars with environment variables./scripts/setup-local-vars.sh
# Generate wrangler.toml for local development./scripts/setup-local-wrangler.sh4. Set Up Cloudflare Resources
Section titled “4. Set Up Cloudflare Resources”KV Namespaces
Section titled “KV Namespaces”./scripts/setup-kv.sh --env=devThis creates environment-scoped KV namespaces for cache and configuration data. Current bindings include:
CLIENTS_CACHE- OAuth client metadata cacheINITIAL_ACCESS_TOKENS- Dynamic Client Registration initial access tokensSETTINGS- System settingsREBAC_CACHE- RBAC/ReBAC claims cacheUSER_CACHE- User metadata cacheAUTHRIM_CONFIG- Generated deployment configurationTENANT_RUNTIME_REGISTRY- Tenant runtime registry snapshotsSTATE_STORE- Compatibility/runtime state storageCONSENT_CACHE- Consent cache
Authorization codes, refresh token rotation, DPoP JTI replay checks, PAR request state, device codes, CIBA requests, SAML state, and rate limiting are handled by Durable Objects rather than KV.
D1 Database
Section titled “D1 Database”./scripts/setup-d1.sh --env=devCreates the deployment-level D1 databases:
| Binding | Database name pattern | Purpose |
|---|---|---|
DB | {env}-authrim-core-db | Core OAuth/OIDC, policy, consent, passkey, custom-claim, and transient auth data |
DB_PII | {env}-authrim-pii-db | Sensitive identity values, subject identifiers, linked identity records, PII tombstones, and PII audit data |
DB_ADMIN | {env}-authrim-admin-db | Admin users, admin RBAC, runtime profiles, tenant database registry, audit/logging control data |
Fresh installs apply SQL from:
migrations/001_core_foundation.sqlthrough the latest core migrationmigrations/pii/001_pii_schema.sqlmigrations/admin/001_admin_users_rbac_security.sqlthrough the latest admin migration
Authrim uses runtime storage profiles to route logical sources and storage slices. The default profile is builtin:storage:shared-d1; larger or regulated deployments can use builtin:storage:tenant-d1 with generated tenant D1 bindings, or external database profiles where supported.
Durable Objects
Section titled “Durable Objects”./scripts/setup-durable-objects.shDeploys Durable Objects from @authrim/ar-lib-core. Key bindings include:
SESSION_STORE/SESSION_CLIENT_STORE- session state and client session mirrorsKEY_MANAGER- cryptographic key managementAUTH_CODE_STORE- OAuth authorization code storageREFRESH_TOKEN_ROTATOR- refresh token rotationCHALLENGE_STORE- passkey and one-time challenge stateRATE_LIMITER- atomic rate limitingPAR_REQUEST_STORE- PAR request URI stateDPOP_JTI_STORE- DPoP replay protectionDEVICE_CODE_STORE/CIBA_REQUEST_STORE- Device Flow and CIBA stateTOKEN_REVOCATION_STORE- token revocation stateSAML_REQUEST_STORE/SAML_AGGREGATE_METADATA_STORE- SAML request and metadata stateFLOW_STATE_STORE- flow engine runtime state
5. Optional: Configure Email (Resend)
Section titled “5. Optional: Configure Email (Resend)”For Email Code authentication:
./scripts/setup-resend.sh --env=localWithout Resend, Email Code values will be logged to the console (useful for development).
Project Structure
Section titled “Project Structure”authrim/├── packages/│ ├── ar-lib-core/ # Core services, schemas, Durable Objects, storage routing│ ├── ar-discovery/ # Discovery & JWKS endpoints│ ├── ar-auth/ # Authorization, login, consent, flow engine│ ├── ar-token/ # Token, introspection, revocation, token exchange│ ├── ar-userinfo/ # UserInfo endpoint│ ├── ar-management/ # Admin API and management surfaces│ ├── ar-async/ # Device Flow & CIBA│ ├── ar-saml/ # SAML IdP/SP│ ├── ar-bridge/ # External IdP bridge│ ├── ar-policy/ # Policy service│ ├── ar-vc/ # Verifiable Credentials│ ├── ar-router/ # Service Bindings router│ ├── ar-admin-ui/ # Admin UI worker│ ├── ar-login-ui/ # Login UI worker│ ├── setup/ # @authrim/setup CLI and Web UI│ ├── ar-lib-scim/ # SCIM library│ ├── ar-lib-logging/ # Logging/audit runtime│ └── ar-lib-policy/ # Policy engine library├── scripts/ # Setup & deployment scripts├── migrations/ # Core, PII, and admin D1 migrations├── conformance/ # OpenID conformance testing└── test/ # Environment validation and smoke testsWorker Architecture
Section titled “Worker Architecture”| Worker | Purpose | Endpoints |
|---|---|---|
| ar-discovery | OIDC Discovery | /.well-known/* |
| ar-auth | Authorization, login, consent | /authorize, /login, /consent, flow routes |
| ar-token | Token issuance and token operations | /token, /introspect, /revoke, token exchange |
| ar-userinfo | UserInfo | /userinfo |
| ar-management | Admin API and management surfaces | /api/admin/*, /register |
| ar-async | Async flows | /device_authorization, /bc-authorize |
| ar-saml | SAML IdP/SP | SAML metadata, SSO, SLO, ACS routes |
| ar-bridge | External IdP bridge | Social login, linked identity, handoff routes |
| ar-policy | Policy evaluation | Policy check/evaluation routes |
| ar-vc | Verifiable Credentials | VC issuer/verifier routes |
| ar-router | Public routing via Service Bindings | Routes requests to the component workers |
Available Scripts
Section titled “Available Scripts”Development
Section titled “Development”pnpm run dev # Start all workers with hot reloadpnpm run build # Build all packagespnpm run build:api # Build API workers only (exclude UI)Testing
Section titled “Testing”pnpm run test # Run unit testspnpm run test:e2e # Run E2E tests (Playwright)pnpm run test:e2e:ui # Run E2E tests with UIpnpm run test:lighthouse # Run Lighthouse performance testsCode Quality
Section titled “Code Quality”pnpm run lint # Run ESLintpnpm run typecheck # TypeScript type checkingpnpm run format # Format code with Prettierpnpm run format:check # Check code formattingDeployment
Section titled “Deployment”pnpm run deploy # Deploy workers with retry logicpnpm run deploy:ui # Deploy Admin UI and Login UI workerspnpm run deploy:all # Deploy everythingSetup CLI
Section titled “Setup CLI”pnpm run setup # Start the setup Web UI from sourcepnpm run setup:init # Initialize a new environmentpnpm run setup:deploy # Deploy a configured environmentpnpm run setup:status # Show deployment statuspnpm run setup:info # Show resource informationFor tenant-D1 environments:
npx @authrim/setup tenant-db-pool-status --env prodnpx @authrim/setup tenant-db-pool-expand --env prod --add-slots 10npx @authrim/setup tenant-db-migrate-all --env prodConformance Testing
Section titled “Conformance Testing”pnpm run conformance:basic # Run Basic OP testspnpm run conformance:config # Run Config OP testspnpm run conformance:dynamic # Run Dynamic OP testspnpm run conformance:fapi2 # Run FAPI 2.0 testspnpm run conformance:all # Run all conformance testsTroubleshooting
Section titled “Troubleshooting”Port 8787 already in use
Section titled “Port 8787 already in use”# Kill the process using the portlsof -ti:8787 | xargs kill -9
# Or use a different portwrangler dev --port 8788KV namespace not found
Section titled “KV namespace not found”wrangler kv namespace list./scripts/setup-kv.sh --env=devPrivate key not found
Section titled “Private key not found”./scripts/setup-keys.sh./scripts/setup-local-vars.shTypeScript errors
Section titled “TypeScript errors”pnpm run typecheckView logs
Section titled “View logs”# Developmentwrangler dev --log-level debug
# Productionwrangler tail --env productionNext Steps
Section titled “Next Steps”- OIDC Configuration - Configure OpenID Connect
- API Reference - Explore the API