At a Glance:
Hexclave is an open-source user infrastructure platform that bundles authentication, team management, payments, email, and analytics into a single system you can start on a hosted cloud or self-host with full data export.
Overview:
Hexclave is a user infrastructure platform designed to handle everything around your users through a catalog of modular apps. It provides authentication with passkeys and OAuth, team workspaces with role-based access control, API key management with automatic leak revocation, subscription and usage-based payments, transactional and marketing emails, product analytics with session replays, tamper-proof webhooks, and a server-side data vault for encrypted secrets. The platform is available as a hosted cloud service that can be set up in minutes, while all user data remains exportable and self-hostable.
Key Decision Points:
Hosted cloud or self-hosted deployment: The platform offers a hosted cloud option for quick setup, with the ability to export your data and self-host when needed.
Modular app catalog approach: Features ship as individual apps you enable as your product requires, all built on the same user model, rather than requiring upfront configuration of the entire platform.
One-component authentication flow: Authentication methods including passkeys, OAuth, and CLI auth can be toggled from the dashboard without code changes after the initial component is integrated.
Single permission model across client and server: Role-based access control uses nested roles with one permission check that works identically on server or client side, defined in the dashboard.
API key security by design: API keys show the full secret only once at creation, leaked keys receive automatic revocation, and plaintext secrets are never stored after creation.
Server-only data vault: Encrypted storage for user secrets is accessible only server-side, locked with your own secret so the platform never sees plaintext values.
Core Features:
Authentication: Drop-in component supporting passkeys, OAuth, and CLI auth with method toggles managed from the dashboard without code changes.
Teams and workspaces: Workspace switcher with remembered selection, email invites that auto sign up new users, and role-gated permissions for team-level access control.
RBAC: Nested roles with a single permission check function that operates identically on server and client, configured through the dashboard.
API Keys: Keys scoped to users and teams with one-time secret display, automatic revocation on leak detection, and no plaintext storage after creation.
Payments: Subscription management, one-time charges, and usage metering with credits that bill individuals or teams through a single model.
Emails: Transactional and marketing sends from one API with AI template editing, theme management, and tracking for opens and clicks.
Analytics: Live active user counts and session replays with natural language querying for dashboard building and SQL save support.
Webhooks: Signed, tamper-proof webhooks for user events with automatic retries, backoff handling, and dashboard endpoint management.
Data Vault: Server-only encrypted storage for user secrets using your own encryption key, with two-line store and retrieve operations.
Launch Checklist: Production readiness tracker covering domain setup, callback locking, and secret rotation to keep teams aligned before launch.
Use Cases:
Developers building SaaS products who need to ship authentication, team management, payments, and analytics without integrating separate services.
Teams launching production applications who want a structured launch checklist covering domain setup, callback configuration, and secret rotation before going live.
Products handling sensitive user data that require encrypted secret storage accessible only server-side, where the platform provider cannot access plaintext values.
Applications needing real-time event reactions through signed webhooks with built-in retry handling and dashboard-based endpoint management.
Open-Source Alternative Value:
Hexclave provides an open-source alternative to assembling user infrastructure from separate services by bundling authentication, payments, email, and analytics into one platform. The ability to export all user data and self-host the platform means you can start quickly on the hosted cloud and migrate to your own infrastructure when needed. API keys are handled with security defaults like one-time secret display and automatic leak revocation without storing plaintext after creation. The data vault encrypts secrets with your own key, ensuring server-side-only access where the platform never sees plaintext values.
