You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Martijn van der Ven a76ca38d2d
Merge pull request #46 from Zegnat/no-more-response_type-id
1 year ago
.gitignore add git ignore 5 years ago add contributing and licensing information 5 years ago first pass at documenting codesniffer commands 5 years ago add contributing and licensing information 5 years ago Move token endpoint information out of warnings 5 years ago
config.php.example refs #7 test for config.php existing 5 years ago
index.php Merge pull request #46 from Zegnat/no-more-response_type-id 1 year ago
ruleset.xml add rules to embedded php and closing tags 5 years ago
setup.php Clean up setup.php 5 years ago


Selfauth is a self-hosted Authorization Endpoint used to login with a personal URL (as Web sign-in) via IndieAuth. See How it works for more.

Selfauth is not a Token Endpoint. To fully use Selfauth for authorization (and not just authentication) a separate token endpoint needs to be set-up, e.g. when using Micropub clients. Examples of Token Endpoints are listed on the wiki.


  • While Selfauth will work with old versions of PHP, some of the more secure functions Selfauth uses were not added until version 5.6. While older versions are not completely insecure, it is strongly recommended you upgrade to a newer version of PHP.


To set up Selfauth, create a folder on your webserver and add the files in this repository to it. You can name the folder anything you like, but in this example we will work with 'auth' under

  1. Create a folder called 'auth' on your webserver and add at least index.php and setup.php.

  2. Go to and fill in the form: pick the personal URL you're trying to log in for (in our case and choose a password.

  3. Find the index-page of your domain and add the following code inside the <head> tag:

    <link rel="authorization_endpoint" href="" />

    ... where is the URL you installed Selfauth to. (The exact location of your HTML <head> could be hidden in your CMS. Look for help in their documentation. Setting a HTTP Link header like Link: <>; rel="authorization_endpoint" should work too.)

You can delete the file setup.php if you want, but this is optional. It will not be able to save a new password for you once the setup is completed.

Changing your password

To change your password, make sure the setup.php file is in place again and delete config.php. Then follow the steps under Setup again.

How it works

On a (Web)App which supports IndieAuth, you can enter your personal URL. The App will detect Selfauth as Authorization Endpoint and redirect you to it. After you enter your password in Selfauth, you are redirected back to the App with a code. The App will verify the code with Selfauth and logs you in as your personal URL.

To test it, you can go to an App that supports IndieAuth and enter your personal URL. has a test-form on the frontpage. If you also link to your social media accounts using rel="me", might show you a list of buttons. To use Selfauth, click the one that has your Selfauth URL on it.


Copyright 2017 by Ben Roberts and contributors

Available under the Creative Commons CC0 1.0 Universal and MIT licenses.

See and for the text of these licenses.