Skip to main content
Anchor provides a flexible authentication system that supports both local username/password authentication and OpenID Connect (OIDC) integration with external identity providers.

Authentication Methods

Local Authentication

Traditional username and password authentication with secure token-based sessions

OIDC Authentication

Enterprise single sign-on with OpenID Connect providers

Key Features

Secure Token System

Anchor uses a dual-token authentication system:
  • Access Tokens: Short-lived JWT tokens for API authentication
  • Refresh Tokens: Long-lived tokens (90 days) stored in the database for session renewal
  • API Tokens: Optional persistent tokens for programmatic access

Flexible User Registration

Control how users can register with three registration modes:
Users can register freely and access the system immediately after signup.
Users can register but must wait for administrator approval before accessing the system.
Registration is completely disabled. Only administrators can create new users.
The first user to register automatically becomes an administrator, regardless of the registration mode.

OIDC Account Linking

When OIDC is enabled, Anchor automatically links accounts based on email addresses:
  • If a user with the same email exists, the OIDC identity is linked to that account
  • Users can sign in with either local credentials or OIDC (unless internal auth is disabled)
  • Profile information (name, avatar) is synchronized from the OIDC provider

API Endpoints

Anchor’s authentication system exposes RESTful endpoints: 
# Register a new user
POST /api/auth/register

# Login with credentials
POST /api/auth/login

# Refresh access token
POST /api/auth/refresh

# Get current user
GET /api/auth/me

User Statuses

Users can have the following statuses:
StatusDescription
activeUser can access the system normally
pendingUser registered but awaiting admin approval (review mode)
Users with pending status cannot log in until an administrator approves their account.

Password Requirements

For local authentication, passwords must:
  • Be at least 8 characters long
  • Be hashed using bcrypt with 10 rounds
  • Cannot be reused when changing passwords

OIDC vs Local Authentication

Best for:
  • Self-hosted deployments
  • Small teams without existing identity infrastructure
  • Development and testing environments
Features:
  • Simple email/password registration
  • Password change capability
  • Profile image uploads
  • No external dependencies

Next Steps

Set up Local Auth

Configure local username/password authentication

Configure OIDC

Integrate with your identity provider

Manage Users

Control registration modes and user approval

API Reference

Explore authentication API endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us