# Authress - Knowledge Base ## Docs - [Auth Academy](https://authress.io/knowledge-base/academy/topics): Learn everything there is to know about Auth through these easy to follow articles in the Authress Academy. - [Choosing the best access control strategy](https://authress.io/knowledge-base/academy/topics/access-control-strategies): A comparison of different access control strategies such as role-based access control (RBAC) and others. - [Securing your secrets: Credential management](https://authress.io/knowledge-base/academy/topics/credential-management): Keeping credentials secure can be a nightmare. Here, we'll explore the different ways to keep your sensitive credentials and private keys secure. - [How does machine to machine authentication work?](https://authress.io/knowledge-base/academy/topics/how-does-machine-to-machine-auth-work): Machine to machine auth is how you ensure secure communication between individual services, and each service can authorize others to access protected resources. - [What is Authentication?](https://authress.io/knowledge-base/academy/topics/implementating-user-login): Learn how to securely implement Authentication and user Login. Here we'll review what auth means, how to use JWTs, and why we need them. - [Denylists and Invaliding user access](https://authress.io/knowledge-base/academy/topics/invalidating-user-access): Learn how to securely log a user out, revoke or invalidate the current access, and support denylists in your application for OAuth JWTs - [Down scoping tokens and permission attenuation](https://authress.io/knowledge-base/academy/topics/offline-attenuation): What is permission attenuation and how to deal with potentially untrusted environments. - [The risks of user impersonation](https://authress.io/knowledge-base/academy/topics/user-impersonation-risks): User impersonation and logging in as a customer can be used as a tool to help identify many issues from user authentication and onboarding to corrupted data in complex multi-service execution paths. - [Configure AWS EventBridge and GCP Pub/Sub Audit Stream](https://authress.io/knowledge-base/docs/account-management/aws-event-bridge-audit-trail): Consume Authress events and trigger custom actions or integrate with your existing SIEM through AWS EventBridge - [Managing multiple environments (prod/staging/dev)](https://authress.io/knowledge-base/docs/account-management/managing-multiple-environments): How to work with multiple environments an integrating them with Authress - [Admin SSO](https://authress.io/knowledge-base/docs/account-management/sso): Authress provides easy access to your account via your existing corporate identity provider. Besides SAML and OpenID, there are a number of first class connections available for AWS, Auth0, Okta, and Microsoft Azure AD (Entra). These options enable your engineering team members to log into Authress without needing to sign up. - [AWS Single Sign-On](https://authress.io/knowledge-base/docs/account-management/sso/aws-sso): Login to Authress using AWS SSO - [Okta integration guide](https://authress.io/knowledge-base/docs/account-management/sso/okta-configuration): Login to Authress using your Okta identity - [Advanced](https://authress.io/knowledge-base/docs/advanced): - [Authress downtime protections](https://authress.io/knowledge-base/docs/advanced/authress-downtime-protections): Authress services aim for 99.999% uptime reliability. When there's indications of a possible problem here's how we know about it. - [Caching strategies](https://authress.io/knowledge-base/docs/advanced/caching): Optimize caching for requests to Authress authorization requests. - [Step-up authorization](https://authress.io/knowledge-base/docs/advanced/step-up-authorization): How to support step-up authentication and step-up authorization - [API Authentication and machine to machine service clients](https://authress.io/knowledge-base/docs/authentication/api-authentication): Enabling your technical users to authenticate to your software and generate service client access and api keys - [Connecting providers (IdP)](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp): Add identity providers, connect external auth systems and Cloud or CICD OIDC integrations. - [OAuth setup guide - Part 2](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/oauth-setup-guide-part-2): Setting up OAuth connections to non-standard providers using the advanced connection configuration - [Custom connection setup guide - Part 3](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/oauth-setup-guide-part-3): Connect a legacy internal identity provider to Authress - [Setup user authentication with Login with Apple](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-apple-login): This article provides a quick start guide for integrating Login with the Sign In With Apple connection into Authress so that your users can log in with their Apple account. - [Setup user authentication using Microsoft Entra](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-azure-ad-connection): This article provides a quick start guide for integrating Entra (Azure Active Directory) identity provider connection into Authress so that your users can log in with their AD account. - [Setup user authentication with Login with Facebook and Meta](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-facebook-login): This article provides a quick start guide for integrating Login with the Sign In With Facebook connection into Authress so that your users can log in with their Facebook account. - [Setup user authentication with GitHub](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-github-oauth): This article provides a quick start guide for integrating GitHub into Authress so that your users can log in with their GitHub user or organization account. - [Setup user authentication with Google](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-google-login): This article provides a quick start guide for integrating Login with Google identity provider connection into Authress so that your users can log in with their Google account. - [Setup user authentication with Salesforce](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-salesforce-connected-apps): This article provides a quick start guide for integrating a Salesforce Login into Authress so that your users can log in with their Salesforce account. - [Setup user authentication with Yahoo! and Yahoo Mail](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-yahoo-login): This article provides a quick start guide for integrating Login with the Sign In With Yahoo connection into Authress so that your users can log in with their Yahoo! account. - [Setup user authentication with Zoho Accounts](https://authress.io/knowledge-base/docs/authentication/connecting-providers-idp/setup-zoho-oauth): This article provides a quick start guide for integrating Login with Zoho accounts connection into Authress so that your users can log in with their Zoho account. - [Custom Login Flow](https://authress.io/knowledge-base/docs/authentication/custom-passwordless-login): Setup a custom login flow passwordless login for your users - [Linking user accounts](https://authress.io/knowledge-base/docs/authentication/linked-user-accounts): How to link user accounts and manage multiple user sessions on the same device - [OIDC Trusted Identities](https://authress.io/knowledge-base/docs/authentication/oidc-trusted-identities): Configure Authress to trust your existing identity providers - [Tenant management](https://authress.io/knowledge-base/docs/authentication/tenants): Tenants are your groups of users. Each business in your platform is tenant, and they have their own login (SSO) configuration. - [User Authentication and Login](https://authress.io/knowledge-base/docs/authentication/user-authentication): Enabling your users to login and authenticate in Authress via a unified authentication solution. - [Adding Multifactor Authenticators and Passkeys (MFA)](https://authress.io/knowledge-base/docs/authentication/user-authentication/adding-multifactor-authentication): Adding Multifactor Authenticators to your application such as Google Authenticator, TOTP, and Yubikeys. - [Creating low-code user management and login box customizations](https://authress.io/knowledge-base/docs/authentication/user-authentication/customizing-your-login-box): Step by step instructions for creating low-code and no-code user management and login box customizations. - [Authress-managed login supported languages and locales](https://authress.io/knowledge-base/docs/authentication/user-authentication/customizing-your-login-box/supported-languages): All the automatically supported languages and locales for the Authress managed login box. - [Controlling data residencies for user data storage](https://authress.io/knowledge-base/docs/authentication/user-authentication/selecting-data-residencies): Specify the data residency for your users' data storage on a per Identity Connection Provider (IdP). - [Authentication Sessions and Silent Authentication](https://authress.io/knowledge-base/docs/authentication/user-authentication/user-sessions): How secure user login persistence, authentication sessions, silent authentication, and users stay authenticated even when their access token expires. - [Setup authentication with any identity provider](https://authress.io/knowledge-base/docs/authentication/user-oauth-authentication-quick-start): Integrating identity providers such as Google into your web application can be challenging, here's a quick start for any site. - [How to verify Authress JWT access tokens](https://authress.io/knowledge-base/docs/authentication/validating-jwts): Authress generated access tokens should be verified to ensure their authenticity. - [Granting access to users](https://authress.io/knowledge-base/docs/authorization/access-records): Access records grant users permissions via roles on resources. - [Designing the user experience for permissions](https://authress.io/knowledge-base/docs/authorization/access-records/model-design-part-2.md): Common access record patterns and recommended usages - [Record model design](https://authress.io/knowledge-base/docs/authorization/access-records/record-model-design): Common access record patterns and recommended usages - [Implementing authorization in a simple app](https://authress.io/knowledge-base/docs/authorization/example-implementation): Integrating with Authress using a simple expense reporting software as an example. - [Modeling matrix resource permissions](https://authress.io/knowledge-base/docs/authorization/matrix-resource-permissions): How to improve matrix like resource permissions using Authress - [User permissions](https://authress.io/knowledge-base/docs/authorization/permissions): Permissions, actions--allow, grant, and delegate. How to control access to your applications and services. - [Machine service clients](https://authress.io/knowledge-base/docs/authorization/service-clients): Service clients are used to support machine-to-machine authentication and authorization - [API and Access keys as a service](https://authress.io/knowledge-base/docs/authorization/service-clients/access-keys): What Authress service client access keys are and how to use them - [Authress implementation of x25519 access keys](https://authress.io/knowledge-base/docs/authorization/service-clients/authress-implementation): An advanced look at Authress' implementation of service client access keys, how they work, and how you can build a similar solution. - [Access Keys, Secrets Scanning, and Revocation](https://authress.io/knowledge-base/docs/authorization/service-clients/secrets-scanning): Automatic handling of access keys and revocation - [Authentication](https://authress.io/knowledge-base/docs/category/authentication): Authress provides independent components for Authorization, Authentication, Extensions, Credential Vaults, etc... Each of these can be used separately, this section provides articles and guides on user, machine-to-machine, as well as how to configure each of these for your users. For a guided wizard on Authentication, check out the Authress Management Portal quick start guides. - [Authorization](https://authress.io/knowledge-base/docs/category/authorization): Authorization in Authress is how you grant users access to perform actions on resources. Performing user authorization checks requires three pieces: - [OAuth 2.0 Credential Vaults](https://authress.io/knowledge-base/docs/category/credentials-vault): Authress provides a first-class credential vault. A credential vault is a secure store of OAuth2 and other tokens that are retrieved throughout the user's authentication lifecycle. - [CI/CD Automation](https://authress.io/knowledge-base/docs/cicd): Providers: - [Access Authress through GitHub Actions](https://authress.io/knowledge-base/docs/cicd/github): Generate temporary credentials to access Authress from GitHub Actions - [Access Authress through GitLab](https://authress.io/knowledge-base/docs/cicd/gitlab): Generate temporary credentials to access Authress from GitLab Pipelines - [Authress OpenTofu provider](https://authress.io/knowledge-base/docs/cicd/open-tofu): Use OpenTofu to create and manager Authress resources - [Authress Pulumi provider](https://authress.io/knowledge-base/docs/cicd/pulumi): Use Pulumi to create and manager Authress resources - [Authress Terraform provider](https://authress.io/knowledge-base/docs/cicd/terraform): Use Terraform to create and manager Authress resources - [Accessing a connection's API via access tokens](https://authress.io/knowledge-base/docs/credentials-vault/using-refresh-tokens-and-provider-scopes): By using refresh tokens a service client can generate access tokens and make requests to a provider's API. - [Platform Extensions and App Marketplaces](https://authress.io/knowledge-base/docs/extensions): Implementing the necessary user identity and access control components to secure a multi-sided platform. - [Extension authentication](https://authress.io/knowledge-base/docs/extensions/extension-authentication): How do users log into extensions and managing extension authentication. - [Installing extensions](https://authress.io/knowledge-base/docs/extensions/installing-extensions): Configure how your platform users will install and enable extensions. - [Creating extensions](https://authress.io/knowledge-base/docs/extensions/managing-extensions): Support extension developers creating and managing platform extensions. - [Platform user login](https://authress.io/knowledge-base/docs/extensions/platform-user-login): Enable users to log into your platform. - [Implementation examples](https://authress.io/knowledge-base/docs/implementation-examples): Throughout this Knowledge Base, the docs will discuss a number of possible solutions to specific problems. To help make these examples more concrete, they will reference real scenarios. These scenarios are documented more in-depth here so that they can be refered to as necessary. - [Document repository](https://authress.io/knowledge-base/docs/implementation-examples/document-repository): The document repository is an service that has two main components, a UI that a user interacts with, and a service by which users or third parties can manage a user's resources through the API. - [Identity Aware Proxy for private websites and secure content](https://authress.io/knowledge-base/docs/implementation-examples/identity-aware-proxy): Integrate with Authress to provide a secure and private proxy on top of sensitive websites and content, restricted by user's authentication and authorization. - [Billing and rate limiting](https://authress.io/knowledge-base/docs/introduction/api-billing-caching): Details on billing scenarios, response caching, and route rating limiting for Authress API. - [Frequently asked questions](https://authress.io/knowledge-base/docs/introduction/frequently-asked-auth-questions): Authress combats the misconceptions surrounding auth, identity terminology, and frequent questions about how to set up CIAM. - [Technical Advanced - frequently asked questions](https://authress.io/knowledge-base/docs/introduction/frequently-asked-auth-questions/technical-security-questions): How do we make sure only to trust Authress JWTs and not every valid JWT out there? - [Getting started with Authress](https://authress.io/knowledge-base/docs/introduction/getting-started-with-authress): All you need to start using Authress, explained step by step. - [Quick Setup Guides](https://authress.io/knowledge-base/docs/introduction/quick-start-guides): Authress Quick Setup make it easy to get started with specific guided tours. CI/CD setup, access as Code, login providers and machine-to-machine authorization. - [What is Authress?](https://authress.io/knowledge-base/docs/introduction/what-is-authress): See the key features and figure out what to do next. Check out the list of SDKs, starter kits, and supported frameworks. - [SDKs](https://authress.io/knowledge-base/docs/SDKs): Below include dedicated pages for each of the SDKs. For in-depth documentation on each of the Authress SDKs, see the public SDK documentation available through our SDK portal. - [Authentication (UI)](https://authress.io/knowledge-base/docs/SDKs/authentication): The UI SDK provides a typed javascript integration to enable fast and easy integrated authentication with any provider. - [Authress Local](https://authress.io/knowledge-base/docs/SDKs/authress-local): Authress Local provides a locally running container to enable users to login, generate authentication tokens, and security for your application before they get to production. - [AWS Amplify + GraphQL](https://authress.io/knowledge-base/docs/SDKs/aws-amplify): - [Community Projects](https://authress.io/knowledge-base/docs/SDKs/community-projects): Unofficial SDKs and Starter Kits managed my community members - [C# + .NET + Unity](https://authress.io/knowledge-base/docs/SDKs/csharp): - [Go](https://authress.io/knowledge-base/docs/SDKs/go): - [Java](https://authress.io/knowledge-base/docs/SDKs/java): - [Javascript + Typescript](https://authress.io/knowledge-base/docs/SDKs/javascript): - [Kotlin](https://authress.io/knowledge-base/docs/SDKs/kotlin): - [OpenTofu](https://authress.io/knowledge-base/docs/SDKs/open-tofu): - [PHP](https://authress.io/knowledge-base/docs/SDKs/php): - [Using Postman Collections](https://authress.io/knowledge-base/docs/SDKs/postman): - [Python](https://authress.io/knowledge-base/docs/SDKs/python): - [Ruby](https://authress.io/knowledge-base/docs/SDKs/ruby): - [Rust](https://authress.io/knowledge-base/docs/SDKs/rust): - [Terraform](https://authress.io/knowledge-base/docs/SDKs/terraform): - [Guides](https://authress.io/knowledge-base/docs/usage-guides): - [Security for deleting resources and access](https://authress.io/knowledge-base/docs/usage-guides/access-control-security-for-deleted-records): Removing an application resource is easy, a quick DB Delete. However, handling the clean up of the access records control policy statements is the challenge. - [Implementing anonymous authentication and shopper IDs](https://authress.io/knowledge-base/docs/usage-guides/anonymous-auth-and-shopper-ids): Extend your onboarding experience to include handling for temporary sessions, users that haven't logged in, and shopper IDs. - [Setting up API keys as a Service for Users](https://authress.io/knowledge-base/docs/usage-guides/api-keys-as-a-service-setup): A deep dive into the recommended flow to generate API keys for your users. - [AWS Guides](https://authress.io/knowledge-base/docs/usage-guides/aws-guides): Follow these AWS specific guides to integrating Authress sucessfully into your AWS Account. - [Create an API Gateway Authorizer](https://authress.io/knowledge-base/docs/usage-guides/aws-guides/create-aws-apigateway-authorizer.md): A technical implementation for how to implement an API Gateway Authorizer for verifying incoming identities. - [Creating an encryption key to store secrets](https://authress.io/knowledge-base/docs/usage-guides/aws-guides/encrypting-secrets-with-aws-kms): How to encrypt secrets using AWS KMS - [Creating application resources](https://authress.io/knowledge-base/docs/usage-guides/creating-resources): How to use access records when creating resources - [Migrating to Authress](https://authress.io/knowledge-base/docs/usage-guides/migration-to-authress): Easily migrate to Authress following the standard authentication and authorization migration steps. - [Implementing signup and user onboarding flow](https://authress.io/knowledge-base/docs/usage-guides/onboarding-users): Follow the scenario to create a full onboarding experience from user registration to a multiple user application tenant. - [Fetching and displaying user lists](https://authress.io/knowledge-base/docs/usage-guides/querying-and-displaying-users): This guide reviews fetching users, querying tenants, and displaying user avatars in your application. - [Splitting permissions and resources](https://authress.io/knowledge-base/docs/usage-guides/splitting-permissions-and-resources): Modifying and migrating access records when new permissions or resources are created. - [Testing Auth](https://authress.io/knowledge-base/docs/usage-guides/testing-auth): Testing strategies when using Authress - [Changing and updating user access permissions](https://authress.io/knowledge-base/docs/usage-guides/update-user-access-changes): Users' access and permissions will change over time, here we review how that access may change, and what updates to make in Authress.