# Modgud

> Multi-tenant Identity Provider

Named after <em>Móðguðr</em>, the watcher of Gjallarbrú.<br><br>OAuth 2.0 / OpenID Connect server with multi-app permissions, granular RBAC, and full database-per-tenant isolation.<br><br>Drop-in for any ASP.NET Core resource server — and the auth foundation of the Cocoar suite.

## Table of Contents

### Get Started

- [Getting Started](/getting-started.md)
- [Quickstart (Docker)](/getting-started/quickstart.md)
- [Requirements](/getting-started/requirements.md)
- [Features](/getting-started/features.md)
- [First-time setup](/getting-started/first-time-setup.md)
- [Single-tenant mode](/getting-started/single-tenant-mode.md)

### Concepts

- [Glossary](/concepts/glossary.md)
- [Apps and resource\_access](/concepts/apps-and-resource-access.md)
- [Realms](/concepts/realms.md)
- [Control Plane / Data Plane](/concepts/control-plane.md)
- [Authentication](/concepts/authentication.md)
- [Authorization (RBAC)](/concepts/groups-and-authorization.md)
- [Permissions & gating](/concepts/permissions.md)
- [Auto-Membership](/concepts/auto-membership.md)
- [ABAC and the IAM boundary](/concepts/abac.md)
- [OAuth 2.0 & OpenID Connect](/concepts/oauth.md)
- [Dynamic Client Registration](/concepts/dynamic-client-registration.md): What DCR is, the MCP use case that makes it relevant again, and how Modgud's "anonymous but triple-gated" stance compares to other IdPs.
- [Sessions & Tokens](/concepts/tokens.md)

### Operate

- [Docker & deployment](/operate/deployment.md)
- [Backend architecture](/operate/backend-architecture.md)
- [Persistence (Marten)](/operate/database.md)
- [Multi-tenancy / Realms](/operate/realms.md)
- [Observability](/operate/observability.md)
- [Recovery CLI](/operate/recovery-cli.md)
- [Feature Flags](/operate/feature-flags.md)

### Administer (Realm-Admin)

- [Administration overview](/admin.md)

### Identity & Access

- [Users](/admin/users.md)
- [Service Accounts](/admin/service-accounts.md): Machine identities that authenticate via OAuth client_credentials, sit in the same Group/Role/Permission model as humans, and produce clean audit trails.
- [Roles](/admin/roles.md)
- [Groups](/admin/groups.md)

### OAuth & Federation

- [OAuth Clients](/admin/oauth-clients.md)
- [OAuth Scopes](/admin/oauth-scopes.md)
- [OAuth APIs (Resource Servers)](/admin/oauth-apis.md)
- [Dynamic Client Registration](/admin/dynamic-client-registration.md)
- [Login Providers](/admin/login-providers.md)

### Realm

- [Applications](/admin/applications.md)
- [Realms](/admin/realms.md)
- [Realm Settings](/admin/realm-settings.md)
- [Auth Log](/admin/auth-log.md)
- [Scheduled Jobs](/admin/scheduled-jobs.md): Tenant-admin surface for the realm's background scheduled jobs — review schedules, tune retention, trigger manually, inspect run history.
- [Change Requests](/admin/change-requests.md)

### Plattform

- [Plattform](/plattform.md): Operator-facing configuration of the Modgud instance.

### Customization

- [Customization — Branding](/plattform/branding.md)
- [Customization — Asset Library](/plattform/assets.md)
- [Customization — Pages](/plattform/pages.md)

### Operations

- [Inbox](/plattform/inbox.md): Per-user, in-app notification surface — bell in the header, panel with the live list, server-pushed via SignalR.
- [Inbox settings](/plattform/inbox-settings.md): Per-kind retention policy for the inbox — how long items stay around before the daily sweep dismisses or hard-deletes them.
- [Platform Settings](/plattform/settings.md)

### Integrate

- [Integrating a Resource Server](/integrate/resource-server.md)
- [SaaS App Integration Walkthrough](/integrate/saas-walkthrough.md)
- [OAuth / OpenIddict implementation](/integrate/oauth.md)
- [Cookies & sessions](/integrate/cookies-and-sessions.md)
- [Login flows](/integrate/login-flows.md)
- [Login Providers (OIDC Federated Login)](/integrate/login-providers.md)
- [Two-Factor Authentication](/integrate/two-factor.md)
- [Scheduling framework](/integrate/scheduling.md): Backend contributor guide for the Quartz.NET-based scheduling slice — registering a job, parameter schema, per-tenant overrides, run history, and the failure → inbox bridge.

### User Help

- [End-user help](/end-user.md)
- [First steps](/end-user/first-steps.md)
- [Signing in](/end-user/sign-in.md)
- [Password](/end-user/password.md)
- [Two-factor authentication](/end-user/two-factor.md)
- [Passkey](/end-user/passkey.md)
- [Profile](/end-user/profile.md)

### API Reference

- [OAuth / OIDC Endpoints](/reference/oauth-api.md)
- [Auth Endpoints](/reference/auth-api.md)
- [Admin endpoints](/reference/admin-api.md)
- [Realm Endpoints](/reference/realm-api.md)

### Contribute

- [Developing locally](/contribute/developing-locally.md)
- [Local CI iteration](/contribute/local-ci.md): Running and iterating on GitHub Actions workflows locally with act + workflow_dispatch dry-run.

### Testing

- [Testing](/contribute/testing.md)
- [Automated tests](/contribute/testing/automated-tests.md)
- [Pinned-by-design](/contribute/testing/pinned-by-design.md)
- [Manual smoke checklist](/contribute/testing/manual-checklist.md)

### Other

- [API Reference](/reference.md): HTTP endpoint reference for the OAuth/OIDC surface, the authentication API, the admin API, and the realm-management API.
- [Concepts](/concepts.md): How Modgud thinks about identity, tenancy, authorization, and the OAuth/OIDC surface — the mental model behind the code.
- [Contribute](/contribute.md): Developing locally, the test suite layout, what gets pinned by tests vs left flexible.
- [Integrate](/integrate.md): Hooking your app up to Modgud — as an OAuth client, as a resource server protecting an API, or via cookie sessions for an internal SPA.
- [Operate](/operate.md): Running Modgud in production — Docker deployment, persistence, multi-tenancy provisioning, observability, recovery procedures.
- [Roadmap](/roadmap.md): What Modgud ships today and what's coming next.