Ovlt: A Lightweight, Rust-Powered Auth Server for Self-Hosting

Authentication and authorization infrastructure is often the most critical yet most cumbersome part of a system. For teams who want to avoid the heavy overhead of managed platforms or the complexity of JVM-based solutions, finding a lightweight, secure, and self-hosted alternative is a challenge.

Ovlt is a self-hosted OAuth2 and OIDC server designed to provide professional-grade authentication infrastructure without the "platform bloat." Built entirely in Rust, it focuses on high performance, strict tenant isolation, and a minimal resource footprint—often running in as little as 20MB of RAM.

Core Architecture and Key Features

Ovlt is delivered as a single Rust binary, consolidating the essential components of modern auth: OAuth2, user management, multi-tenancy, and Multi-Factor Authentication (MFA).

Tenant Isolation via PostgreSQL RLS

One of the most significant architectural choices in Ovlt is how it handles multi-tenancy. Rather than relying solely on application-level logic to filter data, Ovlt leverages PostgreSQL Row-Level Security (RLS).

In this model, every request resolves a tenant context, which then opens a tenant-scoped transaction. The database itself enforces the boundary, ensuring that rows from other tenants are invisible to the application code before the query is even executed. This significantly reduces the risk of data leakage between tenants, moving the security boundary to the data layer.

Security and "Audit-Ready" Encryption

To address the concerns of security audits and CTOs, Ovlt employs a double-envelope encryption strategy using the hefesto crate. Sensitive fields—such as emails, TOTP secrets, and SMTP passwords—are protected with AES-256-GCM encryption before they ever hit the database.

By utilizing a documented key hierarchy and a transparent encryption layer, Ovlt allows security teams to audit the exact mechanism of how data is encrypted at rest. This "zero-knowledge" approach ensures that even if the database is compromised, the sensitive fields remain sealed.

Management via TUI

Unlike many auth servers that require a complex web-based administration console, Ovlt provides a Terminal User Interface (TUI). This TUI is used to manage the entire lifecycle of the auth server, including:

• Tenant and user creation
• Client and role management
• Passkey and session configuration
• Per-tenant SMTP settings and Google/GitHub IdP integrations
• Audit logs

Performance and Resource Efficiency

Ovlt positions itself as a leaner alternative to traditional auth providers. By avoiding the JVM, Redis, and various sidecar processes, it achieves a memory footprint that is often smaller than a single browser tab. This makes it an ideal candidate for edge deployments or resource-constrained environments where every megabyte of RAM counts.

Open Source and Community

Ovlt is source-available under the ELv2 license and is built in public. The project encourages community contributions, and its roadmap is open for public inspection, allowing developers to see exactly where the project is heading.

While the community has suggested comparisons with other lightweight identity managers like Kanidm, the developers are focused on an open roadmap and iterative development based on user feedback.