Auth0 is a great product. So is Clerk. But at scale, both get expensive fast. Auth0 can run into hundreds of dollars a month once you cross certain MAU thresholds. Clerk charges per user. If you are building a multi-tenant SaaS, those numbers compound quickly.
I spent a long time looking for an alternative. Something with JWT rotation, RBAC, webhooks, audit logs, and multi-tenancy baked in. I could not find one that covered the full surface, so I built it.
What HVT is
HVT is a self-hostable authentication platform. You run it yourself for free, or use the managed cloud version at hvts.app. It is licensed under AGPL v3.
The core model is: Organisation → Project → API key → Runtime token.
Each app or environment gets its own project. Runtime users (your app's end users) are isolated per project. The same email can exist across different projects without collision.
What it covers
- JWT with rotation and blacklisting
- Runtime user signup, login, social auth (Google, GitHub)
- Per-project RBAC with custom app roles and permission slugs
- HMAC-signed webhooks with retry and auto-disable
- Full audit logging across 21 event types
-
TypeScript SDK (
@hvt/sdk) - One-click Railway deploy
Why AGPL
If you modify HVT and deploy it as a network service, you have to open-source those changes. That is intentional. It keeps the ecosystem honest and ensures improvements flow back to the community.
Where it is now
The backend is live at api.hvts.app. Docs are at docs.hvts.app. The SDK is published under @hvt/sdk on npm. It is early, but it works.
Check out the HVT GitHub Repository
If you have been burned by auth pricing or vendor lock-in, give it a look. Feedback welcome.
markodera
/
hvt
HVT is an open-source authentication infrastructure built for developers, start-ups and teams who want to build fast and take full control of their authentication systems
HVT
HVT is an open-source authentication platform built with Django and Django REST Framework. It provides a control plane for organizations, projects, API keys, invites, webhooks, and audit logs, plus a runtime auth plane for customer-facing applications.
Current Scope
- email and password authentication
- JWT access and refresh tokens
- registration, email verification, and password reset
- Google and GitHub social login
- organizations, projects, and API keys
- project-scoped runtime auth with shared identity across projects
- invitations, project roles, permissions, and audit logs
- webhook delivery for organization events
Project Model
HVT separates two concerns:
- control plane: the dashboard and admin-facing APIs used to manage organizations, projects, API keys, social providers, invites, and webhooks
- runtime plane: project-scoped auth flows that your application uses for sign-up, sign-in, social login, verify-email, and password reset
True Multi-Tenant Isolation: User accounts are strictly isolated at the project level. Unlike traditional Django apps where an email must be globally unique…
Top comments (0)