machin·auth

A self-hostable auth broker — Google sign-in to a signed identity token, in one tiny binary.
Your keys, no SaaS, no cross-app tracking.

• Google sign-in (OAuth2 authorization-code flow) for any of your apps.
• Issues a domain-scoped, EdDSA-signed JWT — the same person gets a different, unlinkable id at every app.
• Apps verify it with any standard JOSE library against the published JWKS — no SDK, no callback to this server.

Sign in with Google →fake demo userfake user, no email

How an app uses it

1. send the user to:  https://auth.intrane.fr/login?redirect=https://yourapp.com/cb&track=true
2. they sign in with Google
3. we redirect back to:  https://yourapp.com/cb?token=<JWT>
4. verify the JWT against  https://auth.intrane.fr/.well-known/jwks.json

Params on /login:

• redirect (required) — your callback URL; its origin must be in ALLOWED_ORIGINS. We append ?token=<JWT> to it.
• track (optional, default true) — true includes the real email and sets the claim email_trackable:true; false omits the email so the user is unlinkable across apps too. Read the claim to know which you hold.

The token's sub is HMAC(secret, google_sub | your_origin) — stable for that user at your app, useless anywhere else; aud is your origin.

Run it

GOOGLE_CLIENT_ID=...  GOOGLE_CLIENT_SECRET=...  \
  AUTH_BASE_URL=https://auth.yourdomain.com \
  ALLOWED_ORIGINS=https://yourapp.com,https://other.com \
  ./machin-auth

One static binary (machin/MFL). The signing key persists to auth-seed.hex on first run — protect it. Verify the public key any time at /.well-known/jwks.json.

Why self-host

Hosted auth brokers see every one of your logins. machin-auth runs on your box, signs with your key, stores nothing, and emits a standard token any stack can verify. Source · built with machin.