Identity Platform
CAP
Central Authentication Platform. One login layer for every application in your organisation — SSO, MFA, fine-grained permissions, and a full audit trail, without the vendor lock-in of a managed identity service.
Features
- Single sign-on across all connected applications — one login, every service
- Multi-factor authentication with TOTP, push notification, and passkey support
- Role and permission management with attribute-based access control for fine-grained policies
- OAuth 2.1 and OpenID Connect token issuance for seamless application integration
- Organisation and team hierarchy — permissions that cascade correctly without manual maintenance
- Session management with configurable lifetime, idle timeout, and force-logout across all devices
- Full audit log of every authentication and authorisation decision, exportable for compliance
- Self-hosted deployment — your user data never leaves your infrastructure
Tech stack
- Go backend for high-throughput token issuance and validation with minimal resource footprint
- MySQL for user accounts, roles, permissions, sessions, and audit records
- RabbitMQ for asynchronous event delivery — login events, permission changes, and audit records fan out to connected systems without slowing the authentication hot path
- Standards-compliant OAuth 2.1 and OIDC endpoints for application integration
- Admin dashboard for user management, permission editing, and audit log review
- CLI tooling for scripted user provisioning and bulk permission changes
Why organisations build on CAP
Every SaaS identity provider makes the same implicit deal: convenient to start, increasingly expensive as you grow, and difficult to leave once your applications are integrated. Per-user pricing means your identity costs scale linearly with your team. Vendor-specific features mean migration is months of work. Outages in a third-party identity service take down your entire product.
CAP was built for organisations that want the functionality of a managed identity platform — SSO, MFA, OAuth, audit trails — without the per-user billing model and without sending authentication data to a third-party cloud.
The Go runtime was chosen specifically for the authentication hot path. Token validation is on the critical path for every API request in a connected application. A service that adds 20ms to every request is a problem. CAP's token validation endpoint is designed to handle peak load without scaling beyond the footprint of a small virtual machine.
RabbitMQ decouples the audit and event delivery from the authentication response. When a user logs in, CAP issues the token and returns immediately — the audit record write, the login webhook to connected applications, and the session tracking update happen asynchronously. Nothing on the slow path blocks the login response.
The permission model goes beyond simple role-based access. Attribute-based policies allow expressions like "users in the finance team can approve expense reports up to their delegation limit" — logic that flat role assignments cannot express without creating a role per limit level. Permissions cascade through the organisation hierarchy so a regional manager automatically inherits the permissions appropriate to their scope.
The self-hosted deployment is the key architectural decision for regulated industries. Healthcare, fintech, and government organisations that cannot route authentication requests through a vendor's cloud have no good off-the-shelf option. CAP deploys into your infrastructure and your authentication data never crosses your network boundary.
Who it is for
CAP is used by organisations that have outgrown a single application and need SSO across their internal tooling, product companies that need an embeddable identity layer without a third-party dependency, regulated businesses that cannot use managed cloud identity services for compliance reasons, and teams building multi-tenant SaaS products that need per-tenant permission isolation.