Skip to content

casdoor/casdoor

⭐ 13,579  ·  Go  ·  GitHub Repo

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

agent agentic-ai agi ai-gateway auth authentication iam llm

1-Sentence Summary

Casdoor is the first open-source, AI-native IAM that unifies traditional auth protocols with an MCP & Agent gateway for the LLM era.

🔥 Key Capabilities & USP

  • AI-First MCP & A2A Gateway: Natively supports the Model Context Protocol (MCP) and Agent-to-Agent (A2A) communication. This solves the critical pain point of securely authenticating and authorizing AI agents and LLM tools, turning Casdoor into a central policy enforcement point for your AI ecosystem.
  • Universal Protocol Support: Handles OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP/MFA, and Face ID. This eliminates the need to integrate multiple disparate auth libraries, providing a single pane of glass for all identity needs—from enterprise SSO to passwordless login.
  • Self-Hosted & UI-First Management: Provides a complete web UI for managing users, organizations, applications, and roles, backed by a RESTful API and SDKs for Go, Java, Python, and Node.js. This solves the operational overhead of managing auth infrastructure, giving teams full data control without sacrificing developer experience.
  • Enterprise-Grade Provisioning: Supports SCIM 2.0 for automated user provisioning and de-provisioning, along with RBAC and multi-tenancy. This solves the pain of manual user lifecycle management in large organizations, ensuring security and compliance at scale.

USP: Casdoor is the only open-source IAM that bridges traditional enterprise auth with the emerging AI agent world, making it a future-proof choice for teams building agentic applications.

Architecture

Technical Architecture

ComponentTechnology
Backend API ServerGo with Beego framework
Frontend Web UIJavaScript / React
DatabasesMySQL, PostgreSQL (primary); Redis (optional caching)
DeploymentDocker (all-in-one SQLite), Docker Compose, Kubernetes Helm charts
API & IntegrationRESTful API, Swagger UI, Webhooks, SDKs (Go, Java, Python, Node.js)

The architecture is a clean frontend-backend separation. The React UI communicates with the Go API server, which handles all authentication logic, protocol translation, and database operations. The optional Redis layer improves session and token caching performance.

Quick Start Guide

Option 1: Docker All-in-One (Quick Trial)

bash
docker run -p 8000:8000 casbin/casdoor-all-in-one

Option 2: Docker Compose (Full Setup)

bash
docker compose up

Option 3: Kubernetes (Production)

bash
helm install casdoor oci://registry-1.docker.io/casbin/casdoor-helm-charts

Option 4: Manual Build (Development)

bash
git clone https://github.com/casdoor/casdoor.git
cd casdoor

# Build frontend
cd web
yarn install
yarn build
cd ..

# Start backend
go run main.go

Pros, Cons & Use Cases

Pros

  • Truly AI-Native: The MCP and A2A gateway support is a massive differentiator for teams building agentic workflows.
  • Extremely Broad Protocol Support: Covers nearly every modern auth standard, reducing integration complexity.
  • Self-Hosted & Open Source: Full data sovereignty and no vendor lock-in.
  • Excellent Developer Experience: Clean RESTful API, multiple SDKs, and a polished web UI for administration.
  • Active & Mature Ecosystem: Backed by the Casbin community with 13.5k+ stars and regular updates.

Cons

  • Requires Self-Hosting & Maintenance: You are responsible for database setup, backups, scaling, and security patching.
  • Initial Setup Overhead: Requires configuring a database (MySQL/PostgreSQL) and dependencies (Go, Node.js) for manual builds.
  • AI-First Focus May Be Overkill: If your project has zero AI or agent requirements, the MCP/A2A features add unnecessary complexity compared to simpler auth solutions.

Who should NOT use this?

  • Teams building simple, non-AI web apps that only need basic username/password auth or a single OAuth provider (e.g., "Login with Google"). A simpler solution like Auth0, Firebase Auth, or a library like Passport.js would be more appropriate.
  • Organizations without DevOps resources to manage a self-hosted database and application server.
  • Projects requiring a fully managed, zero-ops identity solution where uptime SLAs and automatic scaling are critical.

Ideal Use Cases

  • Building an AI Agent Platform: Securely authenticate and authorize LLM agents, MCP tools, and A2A communication channels.
  • Enterprise SSO Hub: Centralize authentication across dozens of internal applications using SAML, OIDC, and LDAP, with SCIM for user provisioning.
  • Multi-Tenant SaaS Application: Provide a white-labeled auth experience for each customer, with support for social login, MFA, and custom branding.
  • Open-Source Stack with Data Sovereignty: Organizations that require on-premise or private cloud deployment for compliance (e.g., healthcare, finance, government).

Community & Activity

Casdoor is on a strong growth trajectory with 13,579 stars and 2,300+ forks, indicating a healthy and engaged community. The project is actively maintained, with the latest update on May 10, 2026, showing a commitment to keeping pace with the rapidly evolving AI landscape. The backing of the Casbin ecosystem adds credibility and a foundation of robust, battle-tested authorization logic. This is not a side project; it’s a serious, production-grade tool with momentum that is only accelerating as the AI agent space matures.

Project data from GitHub API, updated in real-time