OIDC Providers
Register an identity provider so end users can authenticate cryptographic operations with their own identity tokens
OIDC Providers let you federate your existing identity provider (IdP) with CipherStash. Once registered, end users can authenticate cryptographic operations using the identity tokens your IdP issues, not just application credentials.
This pairs with identity-aware encryption via LockContext, which binds encryption operations to a specific user identity.
If you are only encrypting data at rest with application credentials, you do not need an OIDC provider. This feature is for workspaces where end-user identity should be bound to encryption operations.
Why this matters
Without an OIDC provider, encryption operations are authenticated by access keys (long-lived, application-scoped) or PKCE device login (developer laptops). With one, the identity token from your IdP can be bound to encryption and decryption operations — useful for per-user keys, audit trails, and identity-aware data access controls.
Supported providers
CipherStash supports the following identity providers:
- Auth0
- Okta
- Clerk
- Supabase — register from the dashboard setup hub or manually with the project issuer URL
Registering a provider
Go to your workspace in the CipherStash Dashboard → Authentication → OIDC Providers → Add OIDC Provider.
Select your vendor and enter the Issuer URL — this is the OIDC discovery endpoint that issues identity tokens for your application. The URL format depends on your provider:
| Provider | Example issuer URL |
|---|---|
| Auth0 | https://your-tenant.auth0.com/ |
| Okta | https://your-org.okta.com/ |
| Clerk | https://your-app.clerk.accounts.dev/ |
| Supabase | https://{projectRef}.supabase.co/auth/v1 |
Submit the form. The provider is now registered for that workspace.
Supabase (from the dashboard)
If you connected Supabase in the dashboard, open Settings → Integrations → Supabase, select your project, and click Configure OIDC for this project.
The dashboard registers vendor supabase with issuer https://{projectRef}.supabase.co/auth/v1 for the selected project ref.
What gets stored
Each registered OIDC provider has three fields:
- ID — assigned by CipherStash on registration
- Vendor — one of
auth0,okta,clerk, orsupabase - Issuer — the URL you provided
No client secret or shared key is stored. CipherStash validates tokens by fetching the JWKS from the issuer's discovery endpoint.
Using it from code
Once a provider is registered, use LockContext in the Encryption SDK to bind encryption operations to a user's identity token.
See the LockContext API reference for the full API.
Access keys
Create and manage CipherStash access keys for programmatic access to CipherStash Services like ZeroKMS, with member, control, and admin roles and their available scopes.
Client keys
Create and manage CipherStash client keys for SDKs and Proxy, covering device-backed keys for local development and application keys for production and CI.