Modgud is an OpenID-Connect-shaped identity provider that puts a multi-app permission model at its core. This section gets you from "nothing running" to "first SaaS app integrated" in a small number of pages — using the published Docker image, no source checkout required.
Pick the one that matches what you're trying to do right now:
- Run it locally — Quickstart (Docker). Copy a compose file,
docker compose up, create the first admin via the recovery CLI, and you land in a logged-in admin SPA onhttp://localhost. - Integrate a SaaS app you already have — go straight to the SaaS Integration Walkthrough. It links into the relevant admin docs as you go.
- Embed Modgud into your own deployment — Requirements and Features explain what you're getting and what infrastructure you'll need.
A self-hostable IdP. OAuth 2.0 + OpenID Connect server, runs on .NET 10, persists in PostgreSQL via Marten (event-sourced where it matters). Each customer / environment lives in an isolated realm with its own database. Apps within a realm declare their own permission catalogs and OAuth bindings. Tokens carry Keycloak-style resource_access keyed per Audience, with bypass-pre-expansion and per-RS subset narrowing — resource servers do straight exact-match against a flat permission list, no custom claim format and no separate IdP roundtrip.
- Not a hosted service. You run it.
- Not a user database for arbitrary domain data. Profiles only — your apps own their own tables.
- Not a BFF. It issues tokens; downstream apps consume them.
- Not a SAML provider. OIDC and OAuth 2.0 only.
- Quickstart (Docker) — copy the compose file,
docker compose up, bootstrap the first admin, sign in — in 10 minutes - Requirements — runtime and infra checklist
- Features — point-by-point list of what the box delivers
- First-time setup — the three bootstrap paths and when to use which