How HelloJohn Works
A technical overview of HelloJohn's architecture — from login request to verified JWT. Understand the auth flow, token model, and tenant isolation.
HelloJohn is an identity and authentication server. It sits between your application and your users, handling the complex parts of auth: credential storage, token issuance, session management, and MFA.
The auth flow in 60 seconds
When a user signs in to your app:
- Your app redirects to HelloJohn (or the HelloJohn SDK renders the sign-in UI inline)
- HelloJohn authenticates the user — checks password, runs MFA, validates social token, etc.
- HelloJohn issues a JWT — signed with EdDSA, containing the user's ID, email, roles, and any custom claims
- Your app receives the token — stored in memory or secure storage by the SDK
- Your frontend sends the token to your backend via the
Authorization: Bearer <token>header - Your backend verifies the token locally — no round-trip to HelloJohn needed
User → Your App → HelloJohn → JWT
↓
Your Backend ← JWT (verified locally)Token model
HelloJohn issues short-lived access tokens (JWTs) and long-lived refresh tokens.
| Property | Access Token | Refresh Token |
|---|---|---|
| Format | JWT (EdDSA-signed) | Opaque token |
| Lifetime | 15 minutes (configurable) | 30 days (configurable) |
| Storage | Memory (SDKs) | Secure storage / HttpOnly cookie |
| Verified | Locally (no API call) | Server-side only |
The access token is a standard JWT. You can inspect it at jwt.io. It contains:
{
"sub": "user_01HXYZ...",
"email": "alice@example.com",
"name": "Alice",
"roles": ["member"],
"org": "org_01HXYZ...",
"iat": 1714000000,
"exp": 1714000900
}Signature algorithm
HelloJohn uses EdDSA (Ed25519) for JWT signing — faster and more compact than RS256, with equivalent security. Your backend fetches the public key from the JWKS endpoint once and caches it:
https://your-hellojohn-instance.com/.well-known/jwks.jsonAll HelloJohn SDKs handle JWKS fetching, caching, and key rotation automatically.
Tenant isolation
HelloJohn is built multi-tenant from the ground up. Each tenant has:
- Its own user pool
- Its own JWKS (optional per-tenant key rotation)
- Its own OAuth2 client configuration
- Configurable data isolation: shared schema, separate schema, or separate database
HelloJohn Instance
├── Tenant A → Database A (or schema A)
├── Tenant B → Database B (or schema B)
└── Tenant C → shared schema, row-level isolationThis makes HelloJohn suitable for both single-app deployments and B2B SaaS platforms with hundreds of organizations.
Session management
Sessions are stored server-side in HelloJohn (in your configured database). When a user signs out:
- The refresh token is revoked in the database
- The SDK clears the in-memory access token
- Future refresh attempts return
401 Unauthorized
Access tokens remain valid until they expire (default: 15 minutes). For immediate revocation, reduce the access token lifetime or use token introspection.
Components
HelloJohn is composed of:
| Component | What it does |
|---|---|
| Auth Server | Core Go server — handles all auth logic |
| DAL (Data Abstraction Layer) | Supports PostgreSQL, MySQL, and filesystem backends |
| SDKs | Client libraries for React, Next.js, Vue, Node.js, Python, Go, React Native, and vanilla JS |
| hjctl | CLI for managing tenants, users, admins, sessions, and migrations |
| MCP Server | 46 tools for AI agent control via stdio and SSE |
| Dashboard | Web UI for tenant management (HelloJohn Cloud only) |
OSS vs Cloud
Both the open-source and Cloud versions use the same core. The differences are operational:
- OSS: You host the server. You own all data. You manage updates and backups.
- Cloud: HelloJohn hosts and operates the server. You get a dashboard, multi-tenancy, and SLA.
Next steps
HelloJohn Documentation
The open-source auth platform for developers. Self-hosted or managed cloud. Multi-tenant, 7 SDKs, WebAuthn, RBAC — auth in 5 lines.
OSS vs Cloud
Compare HelloJohn OSS (self-hosted) and HelloJohn Cloud. Understand the feature differences, pricing model, and which option is right for your project.