Clavex
Self-hosted, open-core Identity & Access Management in Go. OIDC/OAuth 2.0, SAML 2.0, SCIM 2.0, FAPI 2.0 and the EU Digital Identity Wallet stack (eIDAS 2.0). Multi-tenant, runs inside your perimeter.
Cost / License
- Freemium (Subscription)
- Proprietary
Platforms
- Online
- Self-Hosted
- Software as a Service (SaaS)
- Docker
Clavex News & Activities
Recent activities
- fcraviolatti liked Clavex
- POX updated Clavex
- fcraviolatti added Clavex
fcraviolatti added Clavex as alternative to Cloud-IAM, FreeRadius, Microsoft Entra ID and LemonLDAP::NG
Clavex information
What is Clavex?
Clavex is an open-source, self-hosted identity and access management (IAM) platform designed for European regulatory environments. It supports multiple authentication protocols including OIDC, SAML 2.0, and FAPI 2.0, and integrates with European national digital identities such as SPID 3.0 and CIE OIDC 3.0 (Italy), FranceConnect v2 (France), itsme (Belgium and Luxembourg), BundID (Germany), Cl@ve (Spain), and DigiD (Netherlands). The platform also provides native support for eIDAS 2.0 wallet flows and AI agent authentication through agent tokens and MCP OAuth AS.
The application includes a suite of integrated modules that handle identity verification, policy enforcement, and compliance. Clavex Shield provides risk-based policy management, while Clavex Permit implements AuthZen fine-grained authorization (FGA). Clavex Verified supports OpenID IDA verified claims, and Clavex Guard handles multi-factor authentication (MFA) with TOTP, backup codes, and passkeys with conditional UI. Clavex Comply offers structured regulatory evidence packages, including a Merkle-proofed immutable audit ledger (Clavex Ledger) for NIS2 auditors, and one-click audit pack ZIP downloads. The platform also includes Clavex Stream, an IAM-native event bus that publishes authentication events to HTTP webhooks, MQTT brokers, Kafka topics, and SIEM audit sinks (Splunk HEC, Elastic ECS, Azure Sentinel, Datadog) simultaneously.
Typical use cases for Clavex include deploying European national eIDs without separate integration projects, enabling verifiable credential issuance and verification in line with eIDAS 2.0, and managing IoT fleet authentication through native MQTT support. The platform allows administrators to configure custom login portals, claims enrichment hooks, and real-time threat intelligence for login protection. It also supports smart lockout based on composite identity risk scoring and FIDO MDS3 trust scoring for passkeys.
Technically, Clavex ships as a single self-hosted binary and does not rely on external third-party libraries for QR code generation or TOTP backup code hashing. It supports the OID4VCI draft-13 with pre-authorized code grant, SD-JWT-VC selective disclosure (W3C VCDM 2.0 compatible), and Token Status List (IETF draft-ietf-oauth-status-list). The platform is designed to be deployed on day one across multiple European identity schemes and provides REST endpoints for GDPR, NIS2, and DSAR compliance obligations

