Skip to content
← All packages

Identity Platform for Laravel

A self-hostable, Laravel-native identity platform. Central login, enterprise SSO, directory sync, RBAC, billing-driven entitlements and a tamper-evident audit trail, all interface-driven and deny-by-default.

Identity Platform for Laravel is a self-hostable identity layer you bind into your own app: central login, enterprise SSO, directory sync, RBAC, billing-driven entitlements and a tamper-evident audit trail. It is UI-free and domain-free. Every capability sits behind a contract you bind, mock, extend or replace, and the whole thing is deny-by-default and verified with tests, PHPStan at max level and composer audit before it ships.

What It Covers

Authentication

Central login and user directory behind a UserDirectory contract, with password and credential handling that stays out of your domain code.

SSO & Federation

Enterprise single sign-on over SAML and OIDC, plus an OAuth/OIDC provider of your own, so other apps can log in against your identity platform.

Directory Sync (SCIM)

SCIM 2.0 provisioning so an upstream IdP can create, update and deactivate users and groups in your directory automatically.

Access Control & RBAC

Role-based access control with an Authorization kernel, deny-by-default, so every check is explicit rather than assumed.

Billing-Fed Entitlements

Entitlements driven by billing state, so what a user or organization can do follows their plan without hand-wired feature flags.

Tamper-Evident Audit

An audit trail you can query and prove, built on a Crypto kernel, for the who-did-what a compliance review will ask for.

Contracts all the way down

The platform is split into kernels (Tenancy, Crypto, Audit, Events, Authorization) and domain modules (Organization, Identity, AccessControl, Directory, Federation, Webhooks, AuditQuery). Each is interface-driven: you resolve a contract like Organizations or UserDirectory from the container and get a working implementation, which you can swap for your own without touching the call sites.

Standards and compliance

Implements the RFCs an identity platform is expected to: OAuth and OIDC, SCIM, SAML, plus FAPI and MCP. The docs map controls to SOC 2, ISO 27001, NIS2, GDPR, HIPAA and PCI-DSS, and ship a threat model alongside the security guidance.

Dogfooding

The package is private during internal dogfooding and goes public when ready. The architecture, contracts and module boundaries are settling first, so the public API is not frozen yet.