Overview

allowthem is an embeddable authentication system. It can run as a Rust library (embedded mode) or as a standalone OIDC provider (external mode). Consuming projects code against an AuthClient trait, so switching between modes requires only a configuration change.

Dual-mode architecture

Embedded mode — add allowthem-core as a dependency. Tables live in your database with an allowthem_ prefix. Sessions, passwords, MFA, roles — all managed in-process.

Standalone mode — run the allowthem binary as a separate service. It exposes OIDC endpoints, signs RS256 tokens, publishes a JWKS endpoint, and provides an admin UI for user management.

When to use which

Use embedded mode when you want auth as a library with full control over the database and configuration. Use standalone mode when you need a shared identity provider across multiple services.