Documentation refresh. Public Mintlify docs updated for the Principal / Vault / Identity model. Retired profile-based terminology, removed references to the old in-process
AuthService library API, and aligned installation, doctor, and daemon API pages with the current storage layout.Current integration surface. CLI commands, authsome run proxy injection, authsome export, and the daemon HTTP API (with PoP JWT auth) are the supported paths for agents and tooling.Next.js dashboard. Static dashboard served from the daemon root with provider and connection management UI.Self-hosting. Docker Compose setup and self-hosting guide for running the daemon outside a laptop.Provider expansion. Bundled providers for Google Workspace services, Jira, Confluence, YouTube, Vertex AI, Todoist, Cloudflare, Outlook, Word, Calendar, Zoom, Reddit, and more.Architecture cleanup. Multi-server-compatible identities, cleaner UI auth flows, and client/server home directory split (
~/.authsome/client/ vs ~/.authsome/server/).⚠ Breaking: Principal claim flow required for vault access. Existing local installs must register a Principal and accept the identity claim.⚠ Breaking: Vault encryption moved to Argon2id KEK/DEK model. Fernet-encrypted vaults cannot be read back; re-login required.Audit events and principal roles. Structured audit logging with admin/user roles. Admin audit dashboard.Browser SSO. Chrome cookie reading for providers that support it.Anthropic and Gemini bundled providers added.
⚠ Breaking: Principal, Vault, and Identity replace the old profile model. Credentials are namespaced under
vault:<vault_id>:.... See Principal, Vault, and Identity.Claim flow. Identities must claim a Principal before accessing credentials.Master key rotation. rekey command and API endpoint.CLI restructure. Provider and admin command namespaces.Configurable proxy scope.
connected_allow and related proxy modes in client config.Health checks. Readiness validates connections for the active identity.Telemetry. Opt-out PostHog analytics via environment variables.Browser bridge for sensitive input. OAuth
client_secret and API keys collected through a local browser form.{base_url} templating. Multi-tenant providers (GitHub Enterprise, Okta, GitLab self-managed).Audit logging. Structured JSON event log for login, logout, revoke, and export.Admin audit dashboard and Notion DCR provider.AUTHSOME_HOME for per-project credential isolation.Initial public series. Established the CLI surface, four flow types (PKCE, device code, DCR + PKCE, API key), bundled providers, and the proxy runner.
Versioning
Authsome follows Semantic Versioning. The current series is0.x, so breaking changes can happen on minor bumps and are called out under ### ⚠ BREAKING CHANGES in CHANGELOG.md. Once the 1.0 line lands, breaking changes will be confined to major bumps.
Upgrading
Authsome is installed as a regular Python package:schema_version field reserved for forward-compatibility migrations.
What’s next
Roadmap
What’s coming and what’s deliberately out of scope.
Installation
Install paths and upgrade commands.