Docs

Practical guide to Doorman: what users can do, how operators set it up, and how technical teams integrate auth, RBAC, billing, and usage.

Integration

Auth/OIDC

  • Create an app and OAuth client in the dashboard.
  • Use Hydra discovery for authorization, token, JWKS, and issuer metadata.
  • Use authorization code + PKCE for browser apps.
  • Use the Doorman login and consent pages as Hydra UI handlers.
  • For enterprise SSO, configure org identity providers and optional domain routing.
curl -sSf https://doorman.f1cs-dev.it/oauth2/.well-known/openid-configuration
curl -sSf https://doorman.f1cs-dev.it/oauth2/.well-known/openid-configuration | jq -r .jwks_uri

RBAC

Access tokens include Doorman app and tenant role context. Resource servers should validate the JWT and enforce permissions from the doorman claim. The React SDK can parse claims, evaluate generic policies, render UX gates, and run server-side authorization checks.

const context = createDoormanServerContext({
  authorizationHeader: request.headers.get("authorization"),
  appId: "APP_ID",
  activeTenantId: tenantId
});

requireServerPolicy(context, {
  type: "permission",
  permission: "resources:read"
});

UI gates such as RequirePolicy improve UX only. Protected mutations must also use server-side checks.

Billing

  • Define plans and meters in Doorman.
  • Map Doorman plan components to Stripe price IDs.
  • Map or create Stripe customers per org + tenant.
  • Create checkout through Doorman and unlock only when subscription status returns is_active=true.
  • Send usage events to Doorman; workers aggregate and export provider usage.

Service accounts

Service accounts are app-scoped machine identities. Create them from the dashboard or API, store the one-time secret, then use Hydra client credentials for server-to-server access.

curl -sS -X POST https://doorman.f1cs-dev.it/oauth2/oauth2/token \
  -u "CLIENT_ID:CLIENT_SECRET" \
  -d grant_type=client_credentials \
  -d scope=doorman

Sample apps

  • examples/sample-spa: minimal OIDC browser flow.
  • examples/sample-client: server-side OIDC client flow.