Announcing PropelAuth BYO (self-hosted)
We’re incredibly excited to announce a new way to add authentication and authorization to your product: PropelAuth Bring-Your-Own (BYO).
PropelAuth BYO is designed for folks that already have some authentication in place and are looking to enhance it instead of replacing it.
You can keep your users table, password hashes, and login flows. Layer on the enterprise features customers ask for - feature by feature, on your schedule, without a migration. It’s self-hosted so you also keep complete control of your data.
And it ships with modern tooling - a built-in dashboard, detailed JSON audit logs, and typed SDKs - so integration stays fast and debuggable.
Why BYO?
Teams that built a solid in-house foundation eventually hit enterprise asks: SSO for a first big customer, directory sync (SCIM) to automate provisioning, stronger session controls to pass a security review.
Historically that meant “pick an all-in-one provider and migrate.” BYO gives you a third option: extend what you have without moving data or re-architecting flows.
Everything happens in your environment so you never have to wrestle with webhooks for syncing data and our SDKs were carefully designed to be both easy to use and use clear, explicit types.
So, what does it do?
When designing the feature set, we looked at the delta between common home-built setups and setups using established auth providers.
A good example of this is session management. In most home-rolled auth setups, sessions are often just a token (either JWT or opaque token) saved as a cookie or returned to the frontend. Contrast that with what external auth providers build: session rotation for session fixation attacks, login alerts when users login with new devices, detecting suspicious changes in IP addresses and user agents, providing remote logouts for users, and more.
PropelAuth BYO Sessions give you the power of an advanced auth provider, in your environment, with an incredibly small code footprint.
Another good example of this is enterprise SSO & SCIM provisioning (directory sync). These features are often requirements of working with enterprises, but they can be tricky to get right.
PropelAuth BYO SSO / SCIM turns all that complexity into a few simple actions you need to take. For SCIM, you pass us the SCIM payload and we return one of:
- “Here’s a formatted response that you can return”
- “This request requires you to take a critical action. Please disable access for user {xyz}”
- There are 4 critical actions: Creating a user, disabling, re-enabling, and deleting. Once you confirm you did the critical action, we give you the formatted response that you can return.
This has the nice benefit of turning “did we do the right thing?” into a clear, typed loop.
Each BYO feature can be implemented independently of the others. See the docs for a full list of features.
Modern tooling included
Over the past few years with PropelAuth Cloud, we’ve managed these features for thousands of companies, selling to some of the biggest companies in the word. Over that time, we’ve learned:
A good API/SDK is important, but tooling is what keeps you sane.
You need tools for debugging and understanding what's happening with your users. With our included management dashboard, you and your team can reset passkeys, configure SSO/SCIM settings, and debug sessions all in one place.
For a deeper dive on the topic, see our blog post about BYO’s SCIM support, which shows how you can reduce lengthy back-and-forths with your customer, even when they don’t follow your instructions exactly.
Try it out today!
Check out the quickstart in the docs, add the SDK to your app, and enable the dashboard to test the flows end-to-end. When you’re ready, configure your first customer in minutes—no migration required.
