Identity infrastructure for apps that need accounts, sessions, organizations, invites, admin tooling, mobile passport approvals, security alerts, and OpenID Connect in one TypeScript codebase.
This repository ships the `idp.global` server, CLI, web UI, and tspublish submodules used by the hosted service. Shared public contracts live in `@idp.global/interfaces`; reusable browser/server SDK code lives in `@idp.global/sdk`.
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
The seed command starts an interactive CLI that writes to the configured local database. The default demo workspace creates a global admin, an organization, demo users, and global OAuth app records.
Default development credentials if accepted unchanged:
`PassportManager` powers the trusted-device side of idp.global. A web session can create a passport enrollment challenge, the Swift app completes enrollment through a QR/NFC pairing payload, and later sign-in or identity checks can be approved by the paired device with signed challenge responses.
The typed request surface includes:
-`createPassportEnrollmentChallenge` and `completePassportEnrollment` for pairing a trusted device.
-`getPassportDevices` and `revokePassportDevice` for account-level device management.
-`createPassportChallenge`, `approvePassportChallenge`, `rejectPassportChallenge`, and `listPendingPassportChallenges` for approval flows.
-`getPassportDashboard`, `listPassportAlerts`, and `markPassportAlertSeen` for mobile app dashboards and notifications.
-`registerPassportPushToken` for push delivery setup.
The reception backend supports real multi-factor authentication for account logins:
- TOTP enrollment with `startTotpEnrollment` and `finishTotpEnrollment`.
- Hashed one-time backup codes through `regenerateBackupCodes` and `verifyMfaChallenge`.
- WebAuthn passkey registration, revocation, passwordless login, and MFA step-up through the `startPasskey*` and `finishPasskey*` request pairs.
- Password and magic-link logins return `twoFaNeeded`, `mfaChallengeToken`, and `availableMfaMethods` instead of a refresh token when MFA is configured.
TOTP secrets are AES-GCM encrypted. Set `IDP_TOTP_ENCRYPTION_KEY` in production so encrypted credentials remain stable across deployments.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
