Getting Started
Quick Start
Get OpenApe running in minutes.
Quick Start
Add a DNS Record
Point your domain to your IdP by adding a TXT record:
_ddisa.example.com TXT "v=ddisa1; idp=https://id.example.com; mode=strict"
Deploy the IdP
The fastest way is a Nuxt app with the @openape/nuxt-auth-idp module:
npx nuxi init my-idp
cd my-idp
pnpm add @openape/nuxt-auth-idp @openape/nuxt-grants
Configure nuxt.config.ts:
export default defineNuxtConfig({
modules: ['@openape/nuxt-auth-idp', '@openape/nuxt-grants'],
openapeIdp: {
rpName: 'My Identity Provider',
rpID: 'id.example.com',
rpOrigin: 'https://id.example.com',
storageDriver: 's3', // or '' for local filesystem
},
})
All routes are auto-registered: /login, /register, /authorize, /token, /.well-known/jwks.json, and the full admin API.
Deploy the SP
For a service that accepts OpenApe login:
pnpm add @openape/nuxt-auth-sp
export default defineNuxtConfig({
modules: ['@openape/nuxt-auth-sp'],
openapeSp: {
spId: 'myapp.example.com',
openapeUrl: 'https://id.example.com',
},
})
The SP is fully stateless — OAuth flow state lives in signed cookies. Zero server storage needed.
Environment Variables
All configuration can be set via NUXT_OPENAPE_* environment variables:
IdP
| Variable | Description | Default |
|---|---|---|
NUXT_OPENAPE_RP_ID | Relying Party ID (domain) | localhost |
NUXT_OPENAPE_RP_ORIGIN | Relying Party origin (URL) | http://localhost:3000 |
NUXT_OPENAPE_RP_NAME | Display name | OpenApe Identity |
NUXT_OPENAPE_STORAGE_DRIVER | Storage driver (s3 or empty for FS) | `` |
NUXT_OPENAPE_ADMIN_EMAILS | Comma-separated admin emails | |
NUXT_OPENAPE_MANAGEMENT_TOKEN | Bearer token for admin API | |
NUXT_OPENAPE_SESSION_SECRET | Session encryption secret (32+ chars) | |
NUXT_OPENAPE_ISSUER | JWT issuer URL | |
NUXT_OPENAPE_S3_* | S3 credentials (ACCESS_KEY, SECRET_KEY, BUCKET, ENDPOINT, REGION) |
SP
| Variable | Description | Default |
|---|---|---|
NUXT_OPENAPE_SP_ID | Service Provider ID | |
NUXT_OPENAPE_URL | IdP URL for discovery | |
NUXT_OPENAPE_SP_SESSION_SECRET | Session encryption secret (32+ chars) |
Create Your First User
Use the management API to create a registration URL:
curl -X POST https://id.example.com/api/admin/registration-urls \
-H "Authorization: Bearer YOUR_MANAGEMENT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"email":"alice@example.com","name":"Alice"}'
Open the returned URL in a browser to register a Passkey. Done.