path: root/README.md

# SecD(iam)

Identity and Access Management enabled by the Sec(urity)D(aemon) but contained in your own infrastructure.

Don't keep using expensive auth providers. secD(iam) is a library which provides robust authentication and custom authorization. You can use one of our pre-configured servers behind a proxy, embed the library into your own application, or build a custom authorization and authentication solution.

secD(iam) allows you to build web, native, mobile, embedded, or any other application for which you want to leverage some type of identity and access management paradigm. Rather than lock yourself into vendors that make it impossible to easily query, manipulate, or otherwise interact with your data, use secD(iam) to easily enable authentication and authorization without hassle.

Get started with:
- the secD binary
- a preconfigured secD server
- browsing secD integration for your Flask, Rails, Django, Laravel, React, Svelte, Angular, Micronaut, FastAPI, Spring Boot project
- the secD library for Python, Go, Rust, Ruby, Java, Javascript, C, C#, PHP
- the Terraform template to launch a secD proxy server in AWS, Google Cloud, or Azure.

You can also use the Terraform template to launch secd a service within your cloud environment so you really don't ever need to worry about auth again.

## Quick Start

```
$ just run <args>
```


# Overview

secd provides a simple way for you to authenticate and authorize users while maintaining complete control over the data and identity of your users.

**Authentication** is the process of validating something is what it says it is.

**Authorization** is the process of validating that something is allowed to do the thing it wants to do.

secd is a comprehensive, simple, pluggable API that provides the following high level functionality:



### Authentication

Register a new **identity** which is an opaque handle. You can save this handle next to your user/device information.

Save a new **authentication credential** for an **identity**. This is a secret of some sort that allows an identity to prove it is what it says it is.

Create a new authentication credential in multiple ways by **initiating** an **authentication challenge** by means of:
- Email
- Oauth Provider
- SMS Number

**validate** an authentication challenge to receive a new **token**. Give this token to the newly registered identity. For example, this token may be saved in a client's browser or some local cache.

**check** if a token is still valid. Every time you check a token, a **token response** will be provided. This response automatically rotates tokens and revokes old tokens. This behavior is customizable.

**create** API key sets which identity's may use to authenticate. These API key sets may have non-infinite expiry times.

**revoke** an identity's authentication. This revokes all valid credentials associated with an identity. Alternatively, only revoke a token, all tokens, a specific API key or all API keys.


### Authorization
tbd...
ALlow

## iam cli

```
iam create validation --email benjaminbellon@gmail.com
iam create session --validation-id 1234 --code 1234
iam create group my-group --identity 1 2 3 4
iam create role my-role --permission 1 2 3 4
iam create service my-service --uri a/b/c
iam create permission my-permission --service my-service
iam ls group
iam ls role --filter re*g$ex
iam link group my-group identity 1 2 3
iam link role my-role permission perm1 perm2 perm3
iam get identity 123
iam get group my-group
```

## Roadmap
- JWT authentication
- Oauth providers to add
- Capabilities scheme

### Who Are We

An enthusiastic collection of application developers, cryptography professionals, security tinfoil-hat-wearing users, and embedded developers with experience across hardware and software from small startups through AWS, Google, Apple, and beyond.