Getting Started

Setup an Identity Provider

Deploy your own OpenApe IdP with DNS, storage, and Passkey authentication.

Quick Start

Add a DNS Record

Point your domain to your IdP by adding a TXT record:

_ddisa.example.com TXT "v=ddisa1; idp=https://id.example.com; mode=strict"

Deploy the IdP

The fastest way is a Nuxt app with the @openape/nuxt-auth-idp module:

npx nuxi init my-idp
cd my-idp
pnpm add @openape/nuxt-auth-idp

Configure nuxt.config.ts:

export default defineNuxtConfig({
  modules: ['@openape/nuxt-auth-idp'],
  openapeIdp: {
    rpName: 'My Identity Provider',
    rpID: 'id.example.com',
    rpOrigin: 'https://id.example.com',
    storageDriver: 's3', // or '' for local filesystem
  },
})

All routes are auto-registered: /login, /register, /authorize, /token, /.well-known/jwks.json, and the full admin API.

Deploy the SP

For a service that accepts OpenApe login:

pnpm add @openape/nuxt-auth-sp

export default defineNuxtConfig({
  modules: ['@openape/nuxt-auth-sp'],
})

That's it for development — the module auto-generates secrets and derives clientId from your dev server. Add a login page:

<template>
  <OpenApeAuth />
</template>

For production, set clientId and sessionSecret:

export default defineNuxtConfig({
  modules: ['@openape/nuxt-auth-sp'],
  openapeSp: {
    clientId: 'myapp.example.com',
  },
})

NUXT_OPENAPE_SP_SESSION_SECRET=$(openssl rand -hex 32)

The SP is fully stateless — OAuth flow state lives in signed cookies. Zero server storage needed.

See the nuxt-auth-sp docs for full configuration reference.

Environment Variables

All configuration can be set via NUXT_OPENAPE_* environment variables:

IdP

Variable	Description	Default
`NUXT_OPENAPE_RP_ID`	Relying Party ID (domain)	`localhost`
`NUXT_OPENAPE_RP_ORIGIN`	Relying Party origin (URL)	`http://localhost:3000`
`NUXT_OPENAPE_RP_NAME`	Display name	`OpenApe Identity`
`NUXT_OPENAPE_STORAGE_DRIVER`	Storage driver (`s3` or empty for FS)	``
`NUXT_OPENAPE_ADMIN_EMAILS`	Comma-separated admin emails
`NUXT_OPENAPE_MANAGEMENT_TOKEN`	Bearer token for admin API
`NUXT_OPENAPE_SESSION_SECRET`	Session encryption secret (32+ chars)
`NUXT_OPENAPE_ISSUER`	JWT issuer URL
`NUXT_OPENAPE_S3_*`	S3 credentials (ACCESS_KEY, SECRET_KEY, BUCKET, ENDPOINT, REGION)

SP

Variable	Description	Default
`NUXT_OPENAPE_CLIENT_ID`	Service Provider ID
`NUXT_OPENAPE_URL`	IdP URL for discovery
`NUXT_OPENAPE_SP_SESSION_SECRET`	Session encryption secret (32+ chars)

Install the CLI

npm i -g @openape/grapes

Create Your First User

grapes login --idp https://id.example.com

This opens a browser where you register with a Passkey. Once registered, you're logged in.

If this is a fresh IdP with no users yet, create a registration URL first via the admin API. See the API Reference for POST /api/admin/registration-urls.

What's Next?

End-to-End Tutorial — Full walkthrough with IdP, SP, and Agent
Agent Integration — Enroll agents and use grants
IdP Configuration Reference — All configuration options
Deployment Guide — Production deployment with Vercel or Docker

Setup a Service Provider

Add OpenApe authentication to your app in 3 steps.

Developers

Raw API reference for enrolling agents, requesting grants, and using AuthZ-JWTs.