Gatekeeper¶
Gatekeeper is a self-hosted authentication gateway for internal apps. It gives you one auth domain, one session, and one admin surface for sign-in, approvals, app access, and audit/security review.
What Gatekeeper does¶
Puts a dedicated auth service in front of internal apps using nginx
auth_requestSupports email OTP, passkeys, Google SSO, and GitHub SSO
Auto-approves users from trusted domains and sends everyone else into pending approval
Lets admins manage users, apps, domains, bans, branding, and audit logs from one place
Keeps your auth data on your infrastructure
Typical flow¶
A user visits
https://docs.example.com.nginx makes a subrequest to Gatekeeper at
/api/v1/auth/validate.If the user is not signed in, nginx redirects them to
https://auth.example.com/signin.The user proves identity with OTP, passkey, Google, or GitHub.
If their account is approved, Gatekeeper sets a session cookie and redirects them back.
If their account is pending, Gatekeeper records the attempt and waits for admin approval.
Operational model¶
Gatekeeper works best when:
auth.example.comis your dedicated auth hostinternal apps live on sibling subdomains such as
docs.example.comorgrafana.example.comCOOKIE_DOMAIN=.example.comis set for cross-subdomain SSOauth and internal app domains send
X-Robots-Tag: noindex, nofollow, noarchiveproduction deploys use
PUBLIC_API_DOCS=falseand a tightTRUSTED_PROXY_IPSlist
Start here¶
Install Gatekeeper, configure email and domains, create your first admin, and protect your first app.
Operational guides for users, apps, deployment, audit logs, and SSO providers.
Current CLI, API, and environment reference for the running product.