Meridian — an identity platform built as seven interlocking projects

A standards-aligned IAM stack — the kind a mid-size company would run to centralize authentication, sessions, federation, and access control. Each project is a standalone, reviewable codebase with its own signature architectural challenge: not seven CRUD apps with login screens, but seven distinct problem shapes.

Read the engineering guide →  ·  Browse the monorepo

Architecture

Meridian architecture idp signs tokens via keysmith and everyone verifies against keysmith's JWKS. bridge federates to Google and Entra ID and reuses keysmith's jose package. portal talks OIDC to idp. sessiond holds browser sessions in Redis. sentinel provides rate limiting, risk, and the audit chain. console is the RBAC control plane. OIDC (RP side) federated identities (JIT) jose / JWKS OAuth2 / OIDC sign / verify JWKS browser sessions (seam) rate-limit / risk (seam) audit + decisions (seam) session admin (seam) hash-chained audit (JSONL) bridge · Go SSO federation gateway Google / Entra ID upstream IdPs portal · TypeScript self-service identity + pg jobs idp · Go OAuth 2.0 / OIDC AS, multi-tenant keysmith · Go key lifecycle + minimal JOSE console · Go + React RBAC with decision traces sessiond · Go + Redis distributed sessions, Lua atomicity sentinel · Go + Python limits · lockout · risk · audit
Solid arrows: integrations wired in the repo today. Dashed arrows: documented seams — narrow interfaces shipped with in-memory implementations, swapped for the real service at deployment.

The projects

Live demos are pending an AWS account. Everything is built deploy-ready (each service runs locally with make run-dev / npm run dev); demo links activate when credentials arrive. Until then, each card links to the code, README, and threat model — the parts a reviewer actually reads first.