Developer Portal

Build on Clavex

Clavex is a sovereign European identity server — OIDC, OAuth 2.1, SAML 2.0, eIDAS, SPID, CIE, BundID, and FAPI 2.0 out of the box. Self-host in minutes with Docker; scale to millions with Kubernetes. This portal covers everything you need to integrate, from your first authorization_code flow to production-grade FAPI 2.0 deployments.

🐳
Docker in 5 min
Start Clavex locally, create your first tenant, and register an OIDC client in under five minutes.
Get started →
🔐
First OIDC Client
Authorization Code + PKCE step by step: redirect, exchange, tokens, and UserInfo.
Read guide →
🇮🇹
SPID Integration
Enable Italian national identity login via SPID. SP metadata, attribute sets, and test federation.
Read guide →
🏦
FAPI 2.0 Setup
PAR, JARM, DPoP, and signed JWTs for financial-grade APIs. Full certification guidance.
Read guide →
🔌
Integration Guides
20 pre-built guides for the most-requested EU enterprise apps — Google Workspace, M365, Grafana, GitLab, Proxmox, and more.
Browse guides →
💻
Code Examples
Ready-to-run snippets for Go, Node.js, and Python covering all major OAuth2/OIDC flows.
View examples →
📄
API Reference
Interactive Redoc documentation for every Admin API endpoint — try it live.
Open Redoc →
Fastest path — 5 min to first login

create-clavex-app scaffolds a complete Next.js (or React) project with Clavex pre-wired — OIDC callback, session store, token refresh, and protected routes included. No config-file archaeology. 

$ npx create-clavex-app myapp --framework nextjs
$ cd myapp && npm run dev
# → http://localhost:3000 — login page ready, SDK wired, OIDC flowing
Full Docker guide → npm package → source →

Architecture Overview

Clavex runs as a single stateless binary backed by PostgreSQL and (optionally) Redis. It speaks to your applications via standard protocols and to external identity providers via SAML 2.0 or proprietary adapters.

Browser / App ──────────────────> id.example.com  OIDC / OAuth 2.1
↳ Authorization Code + PKCE  |  Client Credentials  |  Device Flow  |  CIBA

id.example.com ──────────────────> SPID / CIE / eIDAS  SAML 2.0
↳ Italian national identity  |  EU cross-border  |  BundID (Germany)

id.example.com ──────────────────> Resource Servers  SSF / CAEP SETs
↳ Real-time session revocation  |  credential-change events  |  RISC

Protocol Support

Protocol / FeatureStatusNotes
OpenID Connect Core 1.0CertifiedAll response types
OAuth 2.1 / RFC 9068GAPKCE mandatory
FAPI 2.0 Security ProfileGAPAR + JARM + DPoP
SAML 2.0 (SP-initiated)GASPID, CIE, eIDAS, BundID
SCIM 2.0GAGroups + Users push & pull
Passkeys / WebAuthn L2GAMDS3 policy enforcement
SSF / CAEP (push + poll)GAReal-time revocation SETs
OpenID Federation 1.0BetaTrust chain traversal
OID4VCI / OID4VPBetaSD-JWT VC, mdoc
OID4VP (Verifier API)BetaSame-device & cross-device

Key Concepts

Organizations (Tenants)

Clavex is multi-tenant by design. Each Organization has its own slug (e.g. acme), isolated user database, OIDC clients, identity providers, branding, and audit log. The OIDC issuer for an org is https://id.example.com/acme.

OIDC Clients

Register clients via the Admin API or the management UI. Each client can configure allowed redirect URIs, grant types, token lifetimes, DPoP requirements, FAPI profile, and per-client branding (logo, colors). Clients can be confidential (client_secret or private_key_jwt) or public (PKCE only).

Identity Providers

External logins (SPID, CIE, eIDAS, BundID, FranceConnect, itsme, DigiD) connect as SAML 2.0 service providers managed per-organization. OIDC upstream providers are also supported for social logins or corporate SSO federation.

Passkeys & MFA

Users can register WebAuthn authenticators (passkeys) as a primary credential or second factor. Attestation policies enforce minimum MDS3 certification levels and automatically revoke sessions when a device is flagged REVOKED in the FIDO Alliance catalog.