SemAuth documentation

SemAuth is a multi-tenant OpenID Connect (OIDC) identity provider, operated as a hosted service by Kovilo. It lets your organization run its own login service: you register the applications that need sign-in, choose how your users authenticate (magic links, passkeys, or "Sign in with Google/LinkedIn"), and SemAuth issues the standard ID tokens and access tokens your apps verify.

This documentation is written for two audiences, side by side:

Start here

Core concepts →

Organizations, realms, applications, clients, and users — what each one is and how they nest.

Getting started →

Create your organization, sign in for the first time, and register your first application.

How users sign in →

Magic links, passkeys, and federated login — the end-user experience and how to enable each.

OIDC endpoint reference →

Discovery, authorize, token, userinfo, JWKS, logout — the protocol surface your app talks to.

What SemAuth gives you

CapabilitySummary
Standard OIDCAuthorization-code flow with mandatory PKCE, refresh tokens with rotation + reuse detection, RS256-signed ID tokens, and a published JWKS for stateless verification.
Passwordless by defaultUsers sign in with a magic link emailed to them or a passkey (WebAuthn / FIDO2). No passwords to store or leak.
FederationLet users sign in with an external identity provider — Google, LinkedIn, or any generic OIDC provider.
Assurance levelsRequire a minimum authentication strength (single-factor, MFA, or phishing-resistant) per realm, enforced at token issuance.
Multi-tenantSemAuth hosts many organizations side by side; each gets isolated realms, users, and an admin console on its own subdomain.
Custom domainsServe a realm at your own hostname (e.g. idp.acme.com) with automatic TLS.
Admin APIAutomate realm, client, and federation management over a bearer-authenticated REST API, or from the terminal with the CLI.
Audit trailEvery change and every sign-in is event-sourced and visible in the Activity and Events views.

The big picture

At a glance, here is how the pieces fit together — an organization owns realms, a realm hosts your applications and your users, and applications contain the OIDC clients your software authenticates as:

flowchart TD Org["Organization<br/><small>your tenant · admin console</small>"] Realm["Realm<br/><small>an OIDC issuer</small>"] App["Application<br/><small>a product grouping</small>"] Client["Client<br/><small>an OIDC relying party</small>"] User["User<br/><small>an end-user identity</small>"] Org --> Realm Realm --> App Realm --> User App --> Client

Read Core concepts next for a precise definition of each of these and the URL each one lives at.