Skip to content

Setup Wizard

The Authrim Setup Wizard provides an intuitive web-based interface for deploying Authrim to Cloudflare. This guide walks you through each step of the setup process.

Before running the setup wizard, ensure you have the following:

RequirementDetails
Cloudflare AccountFree tier is sufficient for development. Check current Cloudflare Workers, D1, KV, R2, and Durable Objects limits before production use.
Node.jsVersion 22 or later
npmIncluded with Node.js

Having these ready will make the setup process smoother:

  • Environment name: How you want to identify this deployment (e.g., prod, staging, dev)
  • Custom domain (optional): If you want to use your own domain instead of *.workers.dev
  • Email service credentials (optional): API key from Resend or similar service for sending OTP emails
AreaDevelopment NoteProduction Note
OIDC/OAuth flowsCan be evaluated on small environmentsValidate request, CPU, D1, KV, queue, and Durable Object limits
Custom domainsOptional for local and early testingConfirm current Cloudflare plan and domain requirements
Storage profilebuiltin:storage:shared-d1 is the defaultConsider tenant-D1 or external database profiles for larger or regulated deployments
Audit/loggingBasic D1-backed paths are availablePlan retention, archive, R2, sink, and monitoring requirements

Run the following command to start the setup wizard:

Terminal window
npx @authrim/setup

The wizard will:

  1. Check prerequisites (Wrangler CLI and Cloudflare authentication)
  2. Download the Authrim source code (if not present)
  3. Open a web browser with the setup UI

Prerequisites Check

The wizard verifies your environment is ready:

The Cloudflare command-line tool used to deploy Workers. If not installed:

Terminal window
npm install -g wrangler

You must be logged in to your Cloudflare account. If not authenticated:

Terminal window
wrangler login

This opens a browser window to complete OAuth authentication with Cloudflare.

  • ✅ Wrangler is installed and accessible
  • ✅ You’re logged in to Cloudflare
  • ✅ Your account ID is valid
  • ✅ Current working directory is writable

Main Menu

Choose from three options:

OptionWhen to Use
New SetupFirst time deploying Authrim, or creating a new environment
Load ConfigurationYou have a saved authrim-config.json from a previous setup
Manage EnvironmentsView, update, or delete existing deployments

Setup Mode Selection

Best for most users. Automatically configures:

  • Standard OIDC/OAuth workers (ar-auth, ar-token, ar-userinfo, ar-discovery, ar-management)
  • Login UI and Admin UI workers
  • Default shared-D1 storage profile
  • Sensible security defaults

Choose this if you need to:

  • Choose tenant-D1 storage and preallocated tenant database slots
  • Configure SAML, Device Flow, CIBA, external IdP bridge, policy, or Verifiable Credentials behavior
  • Fine-tune domains, UI deployment, runtime profiles, and advanced settings

Configuration

The environment name is a unique identifier for this deployment. It’s used as a prefix for all Cloudflare resources.

Recommended naming:

EnvironmentUse Case
prodProduction - live users
stagingPre-production testing
devDevelopment and experimentation

You can run multiple environments simultaneously (e.g., prod and staging) under the same Cloudflare account.

  • No additional setup required
  • URLs look like: https://prod-ar-router.your-account.workers.dev
  • Good for development and testing
  • Limitation: No wildcard subdomains for multi-tenant URLs
  • Check the current Cloudflare Workers custom domain requirements for your account and plan
  • URLs look like: https://auth.yourdomain.com
  • Professional appearance for production
  • Supports multi-tenant subdomains: https://tenant1.auth.yourdomain.com

To use a custom domain:

  1. Add your domain to Cloudflare (DNS management)
  2. Enter the domain in the setup wizard
  3. The wizard will configure the necessary DNS records

When checked, your issuer URL will be https://auth.yourdomain.com instead of https://default.auth.yourdomain.com. Choose this if:

  • You only need a single tenant
  • You prefer cleaner URLs

Authrim supports multiple tenants (organizations) under one deployment.

  • Tenant ID: Internal identifier (e.g., default, acme, corp)
  • Display Name: Shown on login screens (e.g., “My Company”, “ACME Corp”)

For single-tenant setups, you can leave the defaults.

By default, Login UI and Admin UI are deployed as Cloudflare Workers with generated URLs. You can optionally configure custom domains for each.

Database Configuration

Authrim now uses runtime storage profiles. The default builtin:storage:shared-d1 profile creates three deployment-level D1 databases:

BindingDatabaseContains
DBCore databaseOAuth/OIDC core data, policy, consent, passkeys, custom-claim metadata, and transient auth persistence
DB_PIIPII databaseSensitive identity values, subject identifiers, linked identity records, PII tombstones, and PII audit data
DB_ADMINAdmin/control databaseAdmin users, admin RBAC, runtime profiles, tenant database registry, audit/logging control data, and operational jobs

For larger or regulated deployments, the setup flow can use builtin:storage:tenant-d1. In that mode, control data remains shared while tenant-owned core and PII data are routed through generated tenant database bindings and the tenant database registry.

Why separate storage planes?

  • Compliance: PII and admin/control data can be handled with clearer boundaries
  • Security: Admin, audit, core identity, and PII access paths can be reviewed independently
  • Tenant scale: tenant-D1 mode can route tenant-owned slices to generated tenant databases
  • Portability: supported profiles can route selected slices to external database adapters
ProfileBest ForNotes
builtin:storage:shared-d1Small deployments and evaluationUses shared DB, DB_PII, and DB_ADMIN bindings
builtin:storage:tenant-d1Larger multi-tenant deploymentsUses preallocated/generated tenant DB slots for tenant-owned data
External database profilesRegulated or existing-data-platform environmentsUses connection references rather than storing raw credentials in tenant settings

Select the region based on:

ConsiderationRecommendation
User locationChoose a region close to most users when possible
Data residency lawsIf your users are in the EU, consider WEUR for GDPR compliance
Corporate requirementsSome organizations mandate specific data locations

Available regions:

  • Automatic: Cloudflare selects the nearest region (good for global users)
  • WNAM: Western North America (US West Coast)
  • ENAM: Eastern North America (US East Coast)
  • WEUR: Western Europe (good for EU data residency)
  • APAC: Asia Pacific

Important: Database region cannot be changed after creation. Choose carefully for production deployments.

ScenarioStorage ProfileRegion Guidance
Small evaluationbuiltin:storage:shared-d1Automatic or nearest primary user region
EU PII requirementsbuiltin:storage:shared-d1 or tenant-D1 with EU-oriented residency profilePlace PII-bearing storage in an EU-compatible region where required
Larger multi-tenant deploymentbuiltin:storage:tenant-d1Plan tenant slot count and migration rollout
Existing database platformExternal database profileUse approved connection references and residency controls

Email Configuration

Email is used for:

  • One-Time Password (OTP) verification during login
  • Password reset links
  • Account verification emails
Section titled “Configure Now (Recommended for Production)”

Resend is recommended for its simplicity and free tier:

  1. Create an account at resend.com
  2. Add and verify your domain (requires DNS access)
  3. Generate an API key
  4. Enter in the wizard:
    • API Key: Your Resend API key
    • From Address: e.g., [email protected] (must be from your verified domain)

If you skip email configuration:

  • Email Code values are logged to the console (visible in Cloudflare dashboard logs)
  • Password reset won’t work
  • Good for development, not suitable for production

You can configure email later through the Admin UI.

Save Configuration Modal

Before provisioning, you can save your configuration to a JSON file.

Benefits of saving:

  • Resume setup later if interrupted
  • Create identical environments (e.g., staging from prod config)
  • Version control your infrastructure settings
  • Share configuration with team members

The file is saved as authrim-config.json in your current directory.

Provisioning Ready

Review your configuration summary, then click Create Resources.

ResourcePurpose
D1 DatabasesDB, DB_PII, DB_ADMIN; tenant-D1 slots when selected
KV NamespacesCaches, generated configuration, tenant runtime registry snapshots, consent cache
Durable ObjectsSessions, auth codes, refresh rotation, PAR, DPoP, device/CIBA, SAML, flow state, rate limiting
RSA KeysJWT signing for access tokens and ID tokens
AES KeysEncryption for sensitive data at rest

Provisioning in Progress

Provisioning typically takes 1-2 minutes. The wizard shows real-time progress.

If provisioning fails:

  • Check your Cloudflare account has sufficient quota
  • Ensure you have the necessary permissions
  • Try again - transient errors are common with cloud APIs

Deployment Ready

After provisioning, click Start Deploy to deploy the application.

Deploying

  1. Build: Compiles all TypeScript code
  2. Deploy Workers: Uploads API endpoints to Cloudflare Workers
  3. Deploy UI Workers: Uploads Login UI and Admin UI workers
  4. Run Migrations: Applies core, PII, admin, and selected tenant-D1 migrations
  5. Upload Secrets: Stores encryption keys securely

Deployment typically takes 3-5 minutes.

Setup Complete

Your Authrim deployment is ready!

URLPurpose
Issuer URLYour OIDC provider endpoint. Use this in your application’s OIDC configuration.
Admin SetupOne-time URL to create the first administrator account. Visit this immediately!
Login UIWhere your users will log in
Admin UIDashboard for managing users, clients, and settings
  1. Create Admin Account (Do this first!)

    • Visit the Admin Setup URL shown on the completion screen
    • Register using a Passkey (TouchID, FaceID, or security key)
    • This URL expires and can only be used once
  2. Log in to Admin UI

    • Use your newly created admin account
    • Explore the dashboard
  3. Create Your First OAuth Client

    • Go to Clients → Create Client
    • Enter your application’s redirect URIs
    • Save the Client ID and Secret
  4. Test the Integration

    • Configure your application with the Issuer URL and client credentials
    • Test the login flow

Use these values from the completion screen:

// Example OIDC configuration
const oidcConfig = {
issuer: 'https://your-issuer-url',
clientId: 'your-client-id',
clientSecret: 'your-client-secret',
redirectUri: 'https://your-app.com/callback',
scope: 'openid profile email'
};
Terminal window
# Use CLI mode instead of Web UI
npx @authrim/setup --cli
# Load existing configuration
npx @authrim/setup --config ./authrim-config.json
# Specify language (en, ja, zh-CN, zh-TW, es, pt, fr, de, ko, ru, id)
npx @authrim/setup --lang ja
# Specify environment directly
npx @authrim/setup --env staging

Port 3456 may be in use:

Terminal window
# macOS/Linux
lsof -ti:3456 | xargs kill -9
# Windows
netstat -ano | findstr :3456
taskkill /PID <PID> /F
Terminal window
npm install -g wrangler

If using a node version manager (nvm, fnm), ensure your global bin is in PATH.

Terminal window
wrangler login

If login fails, try:

Terminal window
wrangler logout
wrangler login

Cloudflare has API rate limits. Wait 1-2 minutes and click Retry.

  1. Verify your domain is added to Cloudflare
  2. Check DNS records are properly configured
  3. Wait for DNS propagation (can take up to 24 hours)
  4. Confirm your account and plan support the domain and route configuration you selected
  • Check your Cloudflare account has D1 access
  • Free accounts have limited D1 databases - delete unused ones
  • Try a different region if one is experiencing issues