Ecosystem
Overview
The OpenApe package ecosystem.
Ecosystem
OpenApe isn't a monolith β it's a set of small, focused packages you compose as needed. Use one. Use all. Each works standalone.
Architecture
βββββββββββββββββββββββββββββββββββββββββββββββ
β Framework Modules β
β nuxt-auth-idp nuxt-auth-sp β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β Protocol Packages β
β @openape/auth @openape/grants β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β Foundation β
β @openape/core β
βββββββββββββββββββββββββββββββββββββββββββββββ
Packages
| Package | Description | Framework |
|---|---|---|
@openape/core | DNS discovery, crypto, PKCE, JWT utilities | None |
@openape/auth | OIDC login protocol β IdP and SP sides | None |
@openape/grants | Grant lifecycle, AuthZ-JWT issuance | None |
@openape/nuxt-auth-idp | Drop-in Nuxt module: run your own IdP (includes grant routes + pages) | Nuxt |
@openape/nuxt-auth-sp | Drop-in Nuxt module: login via OpenApe | Nuxt |
openape-escapes (escapes) | Rust binary for privilege elevation | OS-level |
The older standalone @openape/nuxt-grants package has been consolidated into nuxt-auth-idp β see Grants for the migration note.
Combinations
| Use Case | Packages |
|---|---|
| App with OpenApe login | nuxt-auth-sp |
| Run your own IdP (with grant flows) | nuxt-auth-idp |
| One IdP, many domains | nuxt-auth-idp + the multi-tenant pattern |
| SP with grant requests | nuxt-auth-sp + IdP-side grant routes |
| Non-Nuxt integration | @openape/auth + @openape/grants |
| Local privilege elevation | openape-escapes (escapes) |
Design Principles
- Separation β Auth β Grants. Not every app needs both.
- Layered β Core β Protocol packages β Framework modules β Apps
- Stateless SP β Service providers need zero server storage.
- Framework-agnostic core β Nuxt modules are convenience, not requirement.
- Passkeys-only β No passwords. NIS2 compliant by design.
- Minimal tokens β AuthN says who, AuthZ says what may they do.