Open Gauge Documentation
Self-hosting

Authentication

Local users, OAuth2/OIDC, enterprise SSO, and role-based access control.

Authentication in Open Gauge is designed to be self-hostable end to end — including in fully offline / air-gapped environments — and is never coupled to a cloud-only provider.

Supported authentication modes

  • Local users and passwords — the default for small self-hosted installations. Works fully offline; no external dependency.
  • OAuth2 / OpenID Connect — for organizations that already run an identity provider.
  • Enterprise SSO — via an OIDC-compatible provider. Keycloak is the recommended choice for enterprise deployments that want self-hosted SSO without depending on a cloud identity service.

Authentication sits behind a clear abstraction layer in the backend, so a deployment can move from local auth to Keycloak (or another OIDC provider) without changing any business logic elsewhere in Open Gauge.

Roles (RBAC)

Every user has exactly one role, which governs what they can see and change:

RoleTypical use
viewerRead-only access — browse assets, calibrations, and certificates.
technicianDay-to-day operational work: add sensors, run calibrations, update locations.
adminOrganization administration: manage users, teams, procedures.
superadminSystem-level administration across organizations.

Protected endpoints reject unauthenticated requests, and role checks are enforced on the backend (not just hidden in the UI) — see the Auth and Admin sections of the API Reference for the exact endpoints each role can reach.

Profile picture

Every user can set a profile picture from Settings → Profile. It appears in the circular avatar in the top-right of the top bar and on the user's profile page (/users/{id}, reached by clicking a name anywhere it's mentioned — audit logs, activity, etc.). Users without a picture fall back to their initials. Uploads are limited to image files under 5MB and are stored in MinIO like any other attached file (see Data model & concepts).

Session tokens

Once authenticated, the frontend and any API client carry a session token on subsequent requests. See Auth in the API Reference for the exact login/refresh/logout endpoints and payload shapes.

On this page