Authentication

Log10x uses a pluggable authentication architecture supporting both SaaS and enterprise on-premise deployments.

Deployment Modes

SaaS Mode Enterprise Mode

The default SaaS deployment uses Auth0 for all components - no additional database required.

Component	Backend	Notes
Identity	Auth0	Managed authentication
Key Store	Auth0 app_metadata	Zero additional infra
Env Store	Auth0 app_metadata	Multi-tenant ready

# Environment variables for SaaS mode
AUTH_PROVIDER=auth0
AUTH_KEY_STORE=auth0
AUTH0_DOMAIN=auth.log10x.com
AUTH0_CLIENT_ID=your-client-id
AUTH0_CLIENT_SECRET=your-client-secret

Enterprise deployments bring their own identity provider and storage backends.

Component	Options	Notes
Identity	Okta, Azure AD, Keycloak, any OIDC	Integrate with existing SSO
Key Store	DynamoDB, PostgreSQL, K8s Secrets	Choose based on infrastructure
Env Store	DynamoDB, PostgreSQL, K8s ConfigMaps	Match key store or separate

# Environment variables for Enterprise OIDC + DynamoDB
AUTH_PROVIDER=oidc
AUTH_KEY_STORE=dynamodb
OIDC_ISSUER=https://your-company.okta.com
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
DYNAMODB_KEYS_TABLE=log10x-api-keys
DYNAMODB_ENVIRONMENTS_TABLE=log10x-environments

Supported Backends

Auth0

Default SaaS backend. Identity + key storage in one.
- OAuth 2.0 / OIDC compliant
- Social login support
- app_metadata for keys/envs
auth0_provider.go
Okta

Enterprise SSO integration via OIDC.
- SAML & OIDC support
- MFA built-in
- Requires separate key store
oidc_provider.go
Azure AD

Microsoft enterprise identity.
- Azure integration
- Entra ID support
- Requires separate key store
oidc_provider.go
DynamoDB

Serverless key/environment storage.
- Zero maintenance
- Auto-scaling
- AWS native
dynamodb_store.go
PostgreSQL

Relational storage for keys/environments.
- Full SQL support
- Transactions
- Self-hosted or RDS
postgres_store.go
Kubernetes

Cloud-native secret management.
- K8s Secrets for API keys
- ConfigMaps for environments
- No external database
kubernetes_store.go

Enterprise Configuration

Configure enterprise deployments with your preferred identity provider, key storage backend, and environment management. Select a tab below to see setup instructions for each component.

OIDC Provider DynamoDB PostgreSQL Kubernetes

Configure any OIDC-compliant identity provider:

# config.yaml for Enterprise deployment
provider: oidc
key_store: dynamodb

oidc:
  issuer: https://your-company.okta.com
  client_id: your-client-id
  client_secret: your-client-secret  # Store in secrets manager
  scopes:
    - openid
    - profile
    - email
  user_id_claim: sub  # JWT claim for user ID
  email_claim: email  # JWT claim for email

dynamodb:
  keys_table: log10x-api-keys
  environments_table: log10x-environments
  region: us-east-1

Create tables for API key and environment storage:

# API Keys Table
aws dynamodb create-table \
  --table-name log10x-api-keys \
  --attribute-definitions \
    AttributeName=key,AttributeType=S \
    AttributeName=user_id,AttributeType=S \
  --key-schema AttributeName=key,KeyType=HASH \
  --global-secondary-indexes \
    'IndexName=user-keys-index,KeySchema=[{AttributeName=user_id,KeyType=HASH}],Projection={ProjectionType=ALL}' \
  --billing-mode PAY_PER_REQUEST

# Environments Table
aws dynamodb create-table \
  --table-name log10x-environments \
  --attribute-definitions \
    AttributeName=env_id,AttributeType=S \
    AttributeName=owner_id,AttributeType=S \
  --key-schema AttributeName=env_id,KeyType=HASH \
  --global-secondary-indexes \
    'IndexName=owner-envs-index,KeySchema=[{AttributeName=owner_id,KeyType=HASH}],Projection={ProjectionType=ALL}' \
  --billing-mode PAY_PER_REQUEST

For PostgreSQL deployments:

-- API Keys table
CREATE TABLE api_keys (
    key VARCHAR(36) PRIMARY KEY,
    user_id VARCHAR(255) NOT NULL,
    name VARCHAR(255),
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    expires_at TIMESTAMP,
    last_used_at TIMESTAMP
);
CREATE INDEX idx_api_keys_user_id ON api_keys(user_id);

-- Environments table
CREATE TABLE environments (
    env_id VARCHAR(36) PRIMARY KEY,
    name VARCHAR(255) NOT NULL,
    owner_id VARCHAR(255) NOT NULL,
    owner_email VARCHAR(255),
    is_default BOOLEAN DEFAULT FALSE,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX idx_environments_owner ON environments(owner_id);

-- Environment access for sharing
CREATE TABLE environment_access (
    env_id VARCHAR(36) REFERENCES environments(env_id),
    user_id VARCHAR(255) NOT NULL,
    permissions VARCHAR(20) NOT NULL,  -- OWNER, WRITE, READ
    PRIMARY KEY (env_id, user_id)
);

For air-gapped or K8s-native environments:

# API Key stored as K8s Secret
apiVersion: v1
kind: Secret
metadata:
  name: log10x-key-abc123
  namespace: log10x
  labels:
    log10x/user-id: "user-123"
type: Opaque
stringData:
  key: "your-api-key-uuid"
  user_id: "user-123"
  name: "production-key"

---
# Environments stored in ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: log10x-environments
  namespace: log10x
data:
  environments.json: |
    {
      "env-abc123": {
        "name": "Production",
        "owner_id": "user-123",
        "owner_email": "admin@company.com",
        "is_default": true
      }
    }

Backend implementation: user-service-go/internal/auth