All about my new oss authorization platform

⚠️ Quick note that this is now considered outdated as Authrio is being rewritten with more features, see about it at! ⚠️

Simple and secure authentication platform, designed for self-hosting 🔒

Over the last couple of months, I have been working on a side project in my spare time whilst working on other (larger) projects – more about that in the next post!

The side project I am referring to is designed to be a simplistic authorization platform, essentially allowing easy api key and password storage whilst being secure by design all at once :)



Demo using and Flask:

from flask import Flask, request
from authrio import Org, User, BadUserCreds

org = Org.create("qwerty123")
app = Flask(__name__)

def protected():
        user = org.auth(request.cookies.get("AUTHRIO_KEY"))
        return f"User {} was created at {user.created}!"
    except BadUserCreds:
        return "Invalid/outdated api key passed!"

def signup():
        user = User.create(org, request.args["password"])
        return f"Created user {} at {user.created}!"
    except BadUserCreds:
        return "Password too short/long!"

You can also check out the examples/ directory for some more showcases in various languages 📚


The following components are currently completed:

Name Basic auth Extended management - Link 👍 👍
Authrio.js - Link - Link
API - Link 👍 👍

As for product versioning, Authrio runs in a datewise release cycle, allowing 1 major release per month at maximum. Patches may also be added as an attached .x version if required.


Here’s a diagram showing the flow of Authrio you can implement:

Simply pick one of the 3 wrappers for Authrio to integrate into your application. All of these wrappers have been refined with the appropriate web frameworks in mind (such as + Flask) to provide a more convenient structure.


Official host

You may use the official and secure Authrio API for free, forever! The only limitation are potential ratelimits due to spam. Here’s the link:


Another option is self-hosting; this process is easy and only requires a couple of steps:

  1. Download the latest binary: Releases
  2. Run the file using the “setup” command: ./authrio-api setup
  3. Follow the setup instructions and host the api!


The Authrio platform aims to create a simple authentication and api key management system to provide a single, reliable source of truth for passwords. Each user in Authrio contains a private UUID shared only with the local database and their hashed password:

We store passwords using the industry-leading Argon2 hash. As for salts, there is a global pepper for Authrio stored as an enviroment variable which shouldn’t change and a typical salt attached to each user row.

Another factor in security is that Authrio doesn’t contain any identifiable info about the user other than their UUID, so if either database is breached their password will be secure; due to:


That’s all for now!