Skip to content

Plugin System Overview

The Authrim Plugin System provides a modular, extensible architecture for integrating external services and custom functionality into the Authrim identity platform.

What Plugins Can Do

Plugin TypeCapability PatternExamples
Notifiernotifier.{channel}Email, SMS, Push notifications
Identity Provideridp.{provider}Google, SAML, OIDC federation
Authenticatorauthenticator.{method}TOTP, Passkey, OTP
Flowflow.{name}Custom authentication flow nodes (future)

Architecture

The plugin system follows a three-layer architecture that separates concerns and provides clear boundaries:

flowchart TB
    subgraph Application["Application Layer"]
        direction LR
        A1[op-auth]
        A2[op-token]
        A3[op-management]
    end

    subgraph Plugin["Plugin Layer"]
        direction LR
        P1[Notifier
email, sms, push] P2[IdP
google, saml] P3[Authenticator
totp, passkey] end subgraph Infra["Infrastructure Layer"] direction LR I1[Storage
KV, D1, DO] I2[Policy Engine
ReBAC] end Application -->|PluginContext| Plugin Plugin -->|Storage/Policy| Infra

Layer Characteristics

AspectPlugin LayerInfrastructure Layer
SwitchingDynamic (KV config)Deploy-time (restart required)
Failure ImpactOnly affected featureFull system outage
Tenant VarianceCan differ per tenantUsually shared
ConfigurationAdmin API + Admin UIEnvironment variables

Design Principles

PrincipleDescription
Hybrid ConfigurationStatic code bundling with dynamic KV-based configuration
Type SafetyFull TypeScript support with Zod schema validation
Cloudflare NativeOptimized for Cloudflare Workers (no dynamic imports)
Multi-TenantTenant-specific plugin configurations supported

Cloudflare Workers Limitations

Since Authrim runs on Cloudflare Workers, the plugin system has specific constraints:

Trust Levels

Plugin trust is determined by distribution source, not metadata claims:

Trust LevelSourceUI Display
officialBuilt into ar-lib-plugin/builtin/Authrim Official (Built-in)
officialnpm @authrim/* scopeAuthrim Official (npm)
communityOther npm packages or local filesCommunity Plugin

Built-in Plugins

Authrim includes these official plugins out of the box:

Plugin IDTypeDescription
notifier-consoleNotifierConsole logger for development
notifier-resendNotifierResend Email API
authenticator-totpAuthenticatorTOTP (RFC 6238)

Plugin Lifecycle

┌─────────────────────────────────────────────────────────┐
│ Plugin Lifecycle │
├─────────────────────────────────────────────────────────┤
│ 1. LOAD │
│ ├── Validate config against schema │
│ └── Create plugin instance │
├─────────────────────────────────────────────────────────┤
│ 2. INITIALIZE (optional) │
│ ├── Connect to external services │
│ ├── Warm up caches │
│ └── Validate dependencies │
├─────────────────────────────────────────────────────────┤
│ 3. REGISTER │
│ ├── Register capabilities with registry │
│ └── Must be synchronous, no side effects │
├─────────────────────────────────────────────────────────┤
│ 4. ACTIVE │
│ └── Plugin handles requests via registered handlers │
├─────────────────────────────────────────────────────────┤
│ 5. SHUTDOWN (optional) │
│ ├── Close connections │
│ └── Cleanup resources │
└─────────────────────────────────────────────────────────┘

Next Steps