Service setup

Configure shared identity for apps. App-level authorization stays inside each application.

Checking

Deployment

Runtime values used by the service and Traefik deployment.

Branding

Applications

Register applications, create API auth keys, and use the registry for user assignments.

Register application

ApplicationAllowed IPsStatusUsersCreatedAction

Request API auth key

ApplicationStatusCreatedLast usedAction

Console access

Identity Services administrators sign in with local accounts using either mobile number or email address.

Not signed in Local administrator access only.
Admin console sign-in

The setup console accepts local Identity Services administrator accounts only. Use password login or OTP login with the same email address or mobile number stored in the directory.

OTP providers

Configure SMS and email delivery used by OTP login. Generic API, Fast2SMS, and US carrier email-to-SMS match the VMTS setup.

Delivery settings

Test SMS

Directory

Create users, assign auth-service administrators, and review MFA flag, devices, and active sessions.

Create user

Import users

NameMobileEmailEmployee IDAdminApplicationsStatusMFADevicesSessionsAction

API docs

Shared authentication endpoints for registered applications. Use an API Auth Key from the Applications section.

POST/auth/register

Check whether a user exists in the directory and is assigned to the calling application before app onboarding or sign-in.


        

        

          
POST/auth/otp/request

          
Request a login OTP by mobile number or email address. Delivery uses the configured OTP Providers setup; local dev codes are shown only when enabled.

          

        

        

          
POST/auth/otp/verify

          
Verify an OTP and receive access and refresh tokens.

          

        

        

          
POST/auth/login

          
Login with email/mobile number and password. Returns user, session, access token, and refresh token.

          

        

        

          
GET/auth/session

          
Validate an access token and load the authenticated user.

          

        

        

          
POST/auth/token/refresh

          
Exchange a refresh token for a new access token.

          

        

        

          
POST/auth/logout

          
Revoke a session using either an access token or refresh token.

          

        

        

          
GET/users/sync

          
One-way user sync for the calling application. The API Auth Key identifies the application, and only users assigned to that application are returned. Client apps should store auth_user_id and update only when sync_hash changes. The mapped fields include optional emp_id.

          

        

        

          
POST/auth/password/request-reset

          
Start password reset or account recovery for a mobile number or email address.

          

        

        

          
POST/auth/password/reset

          
Complete password reset with the recovery token.

          

        

      

      

        User sync contract
        
This auth service is the source of truth for shared users. Application sync is one-way from auth service to the calling application. Only users assigned to that application are returned. Existing local users should not be overwritten unless one of the mapped fields changes and the sync_hash differs. Mapped fields include optional emp_id.

      

      

        Authentication header
        
Applications call protected endpoints with X-Auth-Service-Key: ask_your_api_key. Access-token checks also include Authorization: Bearer access_token_here.

      

    


    

      

        

          
System documentation

          
End-to-end guidance for installing, operating, and integrating IDENTITY Services as a shared directory and authentication service.

        

      

      

        

          
What this service does

          
IDENTITY Services is the shared authentication and directory source for your applications. It manages local service administrators, shared end users, OTP and password-based login, application registration, API auth keys, user-to-application assignment, audit logging, and one-way user sync.

          
Important: This service handles authentication and shared directory data. Authorization, roles, and fine-grained permissions stay inside each consuming application.

        


        

          
Installation and local deployment

          
    
            
  1. Make sure Docker and Docker Compose are available on the host.
    2. 
            
  2. Make sure your shared Traefik container is already running and can route auth.localhost.
    3. 
            
  3. From the project folder, start the stack.
    4. 
          

          
cd /Users/mkargal/codex/deplAS

docker compose up -d --build

          
The stack runs two containers: the auth service and MySQL. Traefik remains external and forwards http://auth.localhost to this service.

        


        

          
Initial setup

          
    
            
  1. Open the setup console at http://auth.localhost/setup.
    2. 
            
  2. Create or sign in with a local administrator account.
    3. 
            
  3. Set the Public hostname and token secret under Platform.
    4. 
            
  4. Configure OTP Providers if SMS or email OTP delivery is required.
    5. 
            
  5. Register each consuming application and define its allowed IP addresses.
    6. 
            
  6. Create an API Auth Key for each registered application.
    7. 
            
  7. Create or import users in Directory and assign them to one or more applications.
    8. 
          

        


        

          
Application onboarding model

          

            

              Application registration
              
Each consuming app must be registered with a name and IP allow-list.

            

            

              API auth key
              
Each app calls protected APIs with its own X-Auth-Service-Key header.

            

            

              User assignment
              
Users only sync to and authenticate for applications they are assigned to.

            

            

              Fail-closed IP policy
              
If an application has no allowed IPs configured, requests are rejected by default.

            

          

        


        

          
How other applications integrate

          
    
            
  1. Register the application in Platform.
    2. 
            
  2. Add the allowed source IPs or CIDR ranges for that application.
    3. 
            
  3. Create an API auth key and store it securely in the consuming app.
    4. 
            
  4. Assign users to that application in Directory.
    5. 
            
  5. Call the auth APIs by sending X-Auth-Service-Key with each request.
    6. 
          

          
curl http://auth.localhost/users/sync   -H "X-Auth-Service-Key: ask_your_api_key"

          
The service identifies the calling application from the API key, checks the request IP against the allow-list, and returns only users assigned to that application.

        


        

          
Recommended end-user login flow for consuming apps

          
    
            
  1. User enters email address or mobile number in the consuming app.
    2. 
            
  2. The app calls /auth/register or /auth/otp/request to validate that the user exists in the shared directory and is assigned to that application.
    3. 
            
  3. If the user does not exist, the response is User not in the directory service.
    4. 
            
  4. If the user exists but is not assigned, the response is You are not allowed to access this application. Contact Administrator.
    5. 
            
  5. If the user is valid and assigned, continue with OTP verify or password login.
    6. 
            
  6. Store access and refresh tokens in the consuming application session.
    7. 
            
  7. Use /auth/session to validate tokens and load the authenticated user profile.
    8. 
          

        


        

          
User sync contract

          
Sync is one-way from IDENTITY Services to the consuming application. The consuming application must not push user changes back into this service.

          
    
            
  • Use /users/sync to retrieve assigned users.
    • 
            
  • Store auth_user_id from this service in the consuming application.
    • 
            
  • Update local copies only when mapped fields change and sync_hash changes.
    • 
            
  • Do not sync local Identity Services admin accounts to consuming applications.
    • 
            
  • Mapped fields include name, mobile_number, email, optional emp_id, and status-related data.
    • 
          

        


        

          
Maintenance and operations

          

            

              Audit review
              
Use the Audit tab to monitor admin actions, API usage, denied requests, and rejected IP calls.

            

            

              Audit purge
              
Purge audit events older than N days, or use 0 to purge all history and start fresh with a new purge event.

            

            

              Key rotation
              
Delete an existing API auth key and create a new one per application when rotating credentials.

            

            

              User lifecycle
              
Create, edit, disable, delete, or CSV-import users from the Directory tab.

            

          

        


        

          
Backup and recovery

          
The durable data lives in MySQL and the mounted data volume used for uploaded branding assets. Back up both on a regular schedule.

          
docker compose ps

docker compose logs --tail=100 auth-service

docker compose logs --tail=100 mysql

          
    
            
  • Back up the MySQL database before upgrades.
    • 
            
  • Back up persistent volumes that contain uploaded assets.
    • 
            
  • After recovery, verify the setup console, application registry, API keys, and OTP configuration.
    • 
          

        


        

          
Security checklist

          
    
            
  • Use a strong token secret in production.
    • 
            
  • Restrict each application with an explicit IP allow-list.
    • 
            
  • Rotate API auth keys periodically.
    • 
            
  • Review audit events for rejected IPs and unusual API activity.
    • 
            
  • Use HTTPS at the reverse proxy in non-local environments.
    • 
            
  • Limit local administrator accounts to people who manage the identity service itself.
    • 
          

        


        

          
Troubleshooting

          

            

              Request rejected by IP policy
              
Check the application allow-list and compare the Effective IP, Forwarded IP, and Remote Address shown in the Audit log.

            

            

              User cannot sign in to an app
              
Verify the user exists in Directory, is active, and is assigned to that application.

            

            

              OTP not delivered
              
Review OTP Provider settings and send a test SMS from the Authentication tab.

            

            

              Sync result is empty
              
Check the API auth key, app assignment list, and application IP allow-list.

            

          

        

      

    


    

      

        

          
Audit log

          
Recent security events emitted by the shared auth service.

        

      

      

        
Purge audit history

        
        
        

      

      

        

          
EventUserIPDateTime