High-performance, self-hosted authentication and user management platform built in Rust.
Warning: DEV PREVIEW — This project is under active development and is NOT ready for production use. APIs may change without notice. For updates, watch the Nucleus repo.
Full control over your auth infrastructure, your data, your rules.
- Performance — Built in Rust with Axum for minimal latency and maximum throughput
- Security-first — AES-GCM encryption at rest, constant-time secret comparison, anti-enumeration, PKCE for all OAuth flows
- Self-hosted — Deploy on your infrastructure, keep user data where you need it
- Data sovereignty — Centralized or Federated mode for full control over data location
- Open source — MIT licensed, no per-MAU pricing, no vendor lock-in
Authentication — Email/password, magic links, email OTP, OAuth (Google, GitHub, Microsoft, Apple, Discord, Facebook, LinkedIn, Slack, Twitter/X), passkeys/WebAuthn, SAML 2.0
Multi-factor — TOTP authenticator apps, SMS OTP (Twilio), email OTP (SendGrid), backup codes — all secrets encrypted at rest with AES-GCM
Sessions — Hybrid model: short-lived RS256 JWT (5 min) + Redis-backed sessions for instant revocation. Token hashing, constant-time comparison, JWT revocation list
Organizations — Multi-tenant RBAC with built-in roles (owner, admin, member), custom roles, 10 default permissions, invitations
Webhooks — 18 event types across user, session, org, MFA, and security categories. HMAC-SHA256 signing with replay protection. Exponential backoff retry
Admin Dashboard — Project management, OAuth provider config, API key management, signing key rotation, JWT templates, email templates, analytics (MAU, sign-ins, method breakdown), audit logs, billing/usage tracking
Security — Rate limiting (Redis sliding window), anti-enumeration, constant-time secret comparison, AES-GCM encryption at rest, OIDC discovery, PKCE for all OAuth flows
| SDK | Capability | Install | |
|---|---|---|---|
 |
Server | cargo add cntm-nucleus |
Docs |
 |
Server | npm i @cntm-labs/nucleus-node |
Docs |
 |
Server | pip install cntm-nucleus |
Docs |
 |
Server | go get github.com/cntm-labs/nucleus/sdks/go |
Docs |
 |
Server | dotnet add package Cntm.Nucleus |
Docs |
 |
Server + Android | Maven: io.github.cntm-labs:nucleus |
Docs |
 |
Browser + Node | npm i @cntm-labs/nucleus-js |
Docs |
 |
SSR + Client | npm i @cntm-labs/nucleus-nextjs |
Docs |
 |
Client | npm i @cntm-labs/nucleus-react |
Docs |
 |
Client | flutter pub add cntm_nucleus |
Docs |
 |
Client | pod 'CntmNucleus' |
Docs |
 |
Client | Gradle: io.github.cntm-labs:nucleus-android |
Docs |
 |
Client | Gradle: io.github.cntm-labs:nucleus-java |
Docs |
# Requirements: PostgreSQL 16, Redis 7
git clone https://github.com/cntm-labs/nucleus.git
cd nucleus
cp .env.example .env # Configure database, Redis, master key
cargo run --releasecurl -X POST http://localhost:3000/api/v1/dashboard/projects \
-H "Content-Type: application/json" \
-d '{"name": "my-app", "data_mode": "centralized"}'React
import { NucleusProvider, useAuth } from '@cntm-labs/nucleus-react';
function App() {
return (
<NucleusProvider publishableKey="pk_...">
<MyApp />
</NucleusProvider>
);
}
function MyApp() {
const { isSignedIn, user } = useAuth();
return <div>{isSignedIn ? `Hello ${user.email}` : 'Sign in'}</div>;
}Next.js
// app/layout.tsx
import { NucleusProvider } from '@cntm-labs/nucleus-nextjs';
export default function RootLayout({ children }) {
return (
<NucleusProvider publishableKey="pk_...">
{children}
</NucleusProvider>
);
}Node.js
import { createNucleus } from '@cntm-labs/nucleus-node';
const nucleus = createNucleus({ secretKey: 'sk_...' });
const { userId } = await nucleus.verifySession(token);Python
from nucleus import NucleusClient
client = NucleusClient(secret_key="sk_...")
session = client.verify_session(token)Rust
use cntm_nucleus::NucleusClient;
let client = NucleusClient::new("sk_...");
let claims = client.verify_session(&token).await?;Go
import nucleus "github.com/cntm-labs/nucleus/sdks/go"
client := nucleus.NewClient("sk_...")
claims, err := client.VerifySession(token).NET
using Nucleus;
var client = new NucleusClient("sk_...");
var session = await client.VerifySessionAsync(token);Java
NucleusClient client = new NucleusClient("sk_...");
Session session = client.verifySession(token);Flutter
import 'package:cntm_nucleus/cntm_nucleus.dart';
final nucleus = NucleusClient(publishableKey: 'pk_...');
final session = await nucleus.getSession();Swift
import CntmNucleus
let nucleus = Nucleus(publishableKey: "pk_...")
let session = try await nucleus.getSession()Android (Kotlin)
val nucleus = Nucleus.configure(context, publishableKey = "pk_...")
val session = nucleus.getSession()Android (Java)
Nucleus nucleus = Nucleus.configure(context, "pk_...");
Session session = nucleus.getSession();Single Rust binary, module boundaries enforced at the crate level:
nucleus-server (Axum)
├── nucleus-core errors, types, crypto, validation
├── nucleus-auth password, JWT, OAuth, MFA, passkeys, SAML
├── nucleus-identity user CRUD, ban/unban
├── nucleus-org organizations, RBAC, invitations
├── nucleus-session Redis-backed hybrid sessions
├── nucleus-webhook HMAC signing, delivery, retry
├── nucleus-admin-api dashboard API, analytics, billing
├── nucleus-db repository traits + implementations
└── nucleus-migrate SQL migrations (28+ tables)
Nucleus exposes a REST API under /api/v1:
| Area | Endpoints |
|---|---|
| Auth | Sign up, sign in, token refresh, sign out, sign out all |
| OAuth | Initiate OAuth flow, callback handler (9 providers) |
| Magic links | Send magic link, verify |
| OTP | Send email OTP, verify |
| MFA | Enroll TOTP/SMS, verify, manage backup codes |
| Passkeys | Registration + authentication ceremonies (WebAuthn) |
| Password | Reset request, confirm reset |
| Users | Profile CRUD, session management |
| Organizations | CRUD, members, roles, permissions, invitations |
| Admin | User management, ban/unban, webhooks, analytics |
| Dashboard | Projects, API keys, signing keys, OAuth config, templates |
| Discovery | /.well-known/jwks.json, /.well-known/openid-configuration |
cargo check --workspace # Type check
cargo test --workspace # Run all tests
cargo clippy --workspace -- -D warnings # Lint
cargo fmt --all # Format