App Auth Overview
App Auth is a managed OIDC identity provider for your application's end users. You flip it on for an app, and FoundryDB runs the login service: hosted login pages, magic-link email sign-in, optional Google and GitHub social sign-in, TOTP two-factor, and revocable sessions. Your client libraries talk to a standard OpenID Connect issuer and the rest is handled.
This is not your FoundryDB account login. App Auth issues tokens for the people who sign in to applications you build and deploy. Your team's access to the FoundryDB dashboard and API is a separate system entirely.
What App Auth provides
| Capability | What it does |
|---|---|
| Managed OIDC issuer | A conformant OpenID Connect provider with discovery document, JWKS endpoint, and RS256-signed JWTs. Works with any OIDC client library. |
| Hosted login pages | The platform serves and themes them. Supply a display name, brand color, and logo. No UI to build or maintain. |
| Magic-link sign-in | Users enter an email, click a one-time link, and they are authenticated. No passwords to store. Bring your own SMTP so mail goes out under your domain. |
| Social sign-in | Google and GitHub sign-in buttons render on the hosted page alongside magic links. Bring your own OAuth app per provider. |
| TOTP two-factor | Users enroll an authenticator app. The TOTP secret is encrypted before it is written to your database. |
| Revocable sessions | List a user's active sessions and revoke any of them through the API. |
| Zero-downtime key rotation | Rotate the JWT signing key. The new key publishes alongside the outgoing one so live tokens keep validating through a grace window. |
| GDPR erasure | Delete an end user and the platform removes their identity rows, sessions, tokens, MFA secrets, and audit trail from your database in a single transaction. |
Your data, your database
This is the defining property of App Auth. End-user identities do not live in FoundryDB's infrastructure: they live in a schema called _mdb_auth inside the PostgreSQL database you attach to the app. Every user row, session, refresh token, TOTP secret, recovery code, and audit event is written there, by the issuer, directly to your database.
The FoundryDB control plane stores only configuration: the issuer URL, signing-key references, status, and your branding. No emails. No identity data. Data residency follows your database: put the database in Stockholm and your users live in Stockholm.
End user → Hosted OIDC issuer → your PostgreSQL (_mdb_auth schema)
users, sessions, MFA, audit log
FoundryDB control plane → configuration only (issuer URL, key refs, status)
→ never reads or stores end-user identity data
The issuer connects to your database over a private, TLS-encrypted connection on the service SDN. The control plane touches your database exactly twice in the auth lifecycle: once to apply the schema at enable time, and once when you request a session revoke or a GDPR erasure via the API.
The issuer URL
When you enable auth, the platform assigns an issuer URL in the form:
https://auth-<id>.foundrydb.com
This URL is fixed at enable time. Changing it later would invalidate all outstanding tokens, so it cannot be modified. The OIDC discovery document is served at:
https://auth-<id>.foundrydb.com/.well-known/openid-configuration
Your OIDC client library reads this document automatically. There is nothing else to configure on the protocol side.
Auth lifecycle
| Status | Meaning |
|---|---|
Pending | Enable request accepted, waiting to start. |
ProvisioningSchema | Applying the _mdb_auth schema to your PostgreSQL database. |
Deploying | Bringing up the managed issuer. |
Active | Live and serving logins. |
Disabled | Issuer torn down; your identity data in the database is untouched. |
Failed | Provisioning failed; failure_reason carries the details. |
Next steps
- Enable Auth — prerequisites, enable request, and key rotation
- Social Login — add Google and GitHub sign-in
- Integrate from Your App — OIDC discovery, authorization flow, and token validation