
🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐

Primary LanguageGoApache License 2.0Apache-2.0


Security App and Plugin for Caddy v2. It includes:

  • Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
  • Authorization Plugin for HTTP request authorization based on JWT/PASETO tokens
  • Credentials Plugin for managing credentials for various integrations

Please show your appreciation for this work and ⭐ ⭐ ⭐

Please consider sponsoring this project!

Please ask questions either here or via LinkedIn. I am happy to help you! @greenpau

Documentation: authp.github.io

Security Policy: SECURITY.md

Please see other plugins:

Table of Contents


The caddy-security app allows managing authentication portal, authorization security policy and credentials. The plugin enforces the security policy on endpoints with authorize keyword and serves authentication portal with authenticate keyword.

The app and plugin use Authentication, Authorization, and Accounting (AAA) Security Functions (SF) from github.com/greenpau/go-authcrunch.

Getting Started

The configuration happens in Caddyfile's global options block.

  • Setting Up Local Authentication: Video and Config Gist
  • Login with App Authenticator and Yubico U2F: Video
  • Customizing Caddy Auth Portal UI: Video
  • Caddy Authorize: Authorizing HTTP Requests: Video

Download Caddy with the plugins enabled:


The following configuration adds SMTP credentials to security app. Subsequently, the app and plugin will be able to use the credentials in its messaging configuration.

  security {
    credentials root@localhost {
      username {env.SMTP_USERNAME}
      password {env.SMTP_PASSWORD}


The following configuration sets up email messaging provider. It will use the previously configured root@localhost credentials.

  security {
    messaging email provider localhost-smtp-server {
      protocol smtp
      credentials root@localhost
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost

It can also be "passwordless":

  security {
    messaging email provider localhost-smtp-server {
      protocol smtp
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost

It may support TLS:

  security {
    messaging email provider localhost-smtp-server {
      protocol smtps
      sender root@localhost "My Auth Portal"
      bcc greenpau@localhost


The following configuration adds authentication portal.

  security {

    local identity store localdb {
      realm local
      path {$HOME}/.local/caddy/users.json

    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify {env.JWT_SECRET}
      enable identity store localdb
      cookie domain myfiosgateway.com
      ui {
        links {
          "My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
          "My Identity" "/whoami" icon "las la-user"
      transform user {
        match origin local
        action add role authp/user
        ui link "Portal Settings" /settings icon "las la-cog"

auth.myfiosgateway.com {
  authenticate * with myportal


The following configuration adds authorization functionality and handlers.

  security {
    authorization policy mypolicy {
      set auth url https://auth.myfiosgateway.com/
      crypto key verify {env.JWT_SECRET}
      allow roles authp/admin authp/user

www.myfiosgateway.com {
  authorize with mypolicy
  root * {env.HOME}/public_html

User Interface

User Login


User Identity (whoami)

User Settings

Password Management

Add U2F Token (Yubico)

Add Authenticator App

Multi-Factor Authentication