Get started
Google Identity Services, owned sessions

Own the session. Keep tokens off the browser.

TAuth verifies Google credentials, mints first-party JWT cookies, and rotates refresh tokens server-side. One origin, zero token storage, and a multi-tenant config your platform team can trust.

Get started View on GitHub
Session model JWT cookies
Scope Single origin
Mode Multi-tenant
launch 
$ tauth --config=config.yaml
/auth/nonce  -> /auth/google
/auth/refresh -> /auth/logout
/me -> profile

First-party cookies

Access sessions live in HttpOnly cookies, not local storage. SameSite rules are derived per tenant.

Tenant aware

Host multiple products with tenant-specific cookies, issuers, and refresh TTLs in one file.

Preflight validation

Emit a redacted config report so orchestrators can validate secrets and endpoints before launch.

Drop-in client

Use hosted tauth.js for nonce exchange, refresh retries, and logout state without custom wiring.

Blueprint the landing story

The page stacks a bold hero, value props, and deep dives that read like a platform spec. Every section supports an operator decision in under a minute. 

Structure:
- Hero + CLI snapshot
- Value props grid
- Auth exchange, JWT validation, tenant config
- Palette suggestions
- Get started links

Nonce to cookie exchange

Clients request a nonce, post the Google credential, then rely on the signed cookie for everything else. Refresh and logout stay server-only. 

POST /auth/nonce
POST /auth/google
POST /auth/refresh
POST /auth/logout
GET  /me

JWT validation for every service

Downstream Go services validate app_session cookies with the same tenant config, so issuers and cookie names stay aligned. 

validator, err := sessionvalidator.New(
  sessionvalidator.Config{
    SigningKey: signingKey,
    Issuer: "tauth",
  },
)

Tenant config as a contract

One YAML file defines tenant origins, cookie names, and TTLs. Resolve by Origin or explicit header when you share an origin. 

tenants:
  - id: "notes"
    tenant_origins: ["https://notes.localhost"]
    google_web_client_id: "..."
    jwt_signing_key: "..."
    session_cookie_name: "app_session_notes"

Palette suggestions

Use a neon accent on deep charcoal for dark mode, or flip to a light mist palette for marketing docs and release notes.

Dark baseline

--bg: #07090d
--surface: #0f141c
--ink: #f3f8ff
--accent: #5ef6ff
--accent-2: #b6ff6a

Light baseline

--bg: #f7f8fb
--surface: #e6ebf2
--ink: #121826
--accent: #009bb8
--accent-2: #5a7d2a

Get started in minutes

Launch the binary, point it at config.yaml, and let the hosted client handle the browser-side exchange.

Usage guide docs/usage.md Architecture ARCHITECTURE.md Community GitHub Discussions
quickstart 
$ tauth --config=config.yaml
listen :8443
cookies: app_session / app_refresh
tauth.js: /tauth.js