CRED Auth
CRED Auth is the centralized OAuth 2.0 / OpenID Connect authorization server for the CRED platform, built with NestJS and oidc-provider. It handles user authentication, token issuance, and client management across all CRED services.
Production URL: https://auth.credplatform.com
Key Features
| Feature | Description |
|---|---|
| OAuth 2.0 + OIDC | Full authorization server with OpenID Connect support |
| JWT Access Tokens | RS256 (OIDC keystore) or HS256 (shared secret for API parity) |
| PKCE | Required by default for all authorization flows |
| Dynamic Client Registration | RFC 7591 — clients can self-register (MCP compatible) |
| Protected Resource Metadata | RFC 9728 — MCP clients discover the auth server automatically |
| Resource Indicators | RFC 8707 — audience-restricted access tokens |
| Token Introspection & Revocation | Full token lifecycle management |
| Server-Rendered Login UI | Handlebars-based login and consent pages |
| Rate Limiting & CSRF | Tiered throttling and stateless CSRF protection |
Quick Links
- Architecture - System design, modules, and data flow
- API Reference - All endpoints (OAuth, REST, discovery)
- Security - Authentication, rate limiting, CSRF, and headers
- Deployment - Docker, Cloud Run, and configuration reference
- Development - Local setup, database schema, and testing
Repository
git clone https://github.com/credinvest/cred-auth.git
Tech Stack
- Runtime: Node.js 20+ with NestJS 11
- OAuth Engine: oidc-provider via
nest-oidc-provider - Database: PostgreSQL via Knex
- Auth: Passport (local strategy), bcrypt, jsonwebtoken
- Security: Helmet, @nestjs/throttler, stateless CSRF
- Views: Handlebars (server-rendered login/consent)
- Deployment: Google Cloud Run (Kaniko builds via Cloud Build)
MCP Compatibility
CRED Auth implements the MCP authorization specification, making it compatible with AI assistants (Claude Desktop, Cursor, VS Code, etc.):
- Discovery —
GET /.well-known/oauth-protected-resource(RFC 9728) - Dynamic Registration —
POST /oauth/reg(RFC 7591) when enabled - Authorization — Standard OAuth 2.1 code flow with PKCE
- Resource Indicators —
resourceparameter in authorization requests (RFC 8707) - Custom Redirect Schemes — Supports
cursor://,vscode://, and loopback URIs
Token TTLs
| Token Type | Default TTL | Env Variable |
|---|---|---|
| Access Token | 1 hour | OAUTH_TTL_ACCESS_TOKEN |
| Authorization Code | 10 minutes | OAUTH_TTL_AUTH_CODE |
| Refresh Token | 14 days | OAUTH_TTL_REFRESH_TOKEN |
| Session | 14 days | OAUTH_TTL_SESSION |
| Grant | 14 days | OAUTH_TTL_GRANT |
| Interaction | 1 hour | OAUTH_TTL_INTERACTION |
| Registration Access Token | 7 days | OAUTH_TTL_REG_TOKEN |