Access Management
Portal for managing organization access: clients, grants, invitations, service accounts, and audit trails.
| Status | alpha |
| License | Business Source License 1.1 |
Overview
Access Management is the product that controls who and what can access eigenoid resources. It consists of five repositories that together provide an admin interface, a public-facing portal, a backend API, a block page for denied requests, and the infrastructure to run it all on GCP.
The system handles the full lifecycle of access management: creating clients and service accounts, issuing invitations and magic links, processing access requests and grants, provisioning Cloudflare and GCP resources, and maintaining a complete audit trail.
Architecture
Components
Admin Portal (app-access-admin)
Internal dashboard for administrators to manage the full access lifecycle.
| Repo | eigenoid/app-access-admin |
| Stack | React 19, TypeScript 6, Vite 8, Tailwind CSS 4, shadcn/ui |
| Routing | React Router 7 |
Pages: dashboard, clients list, client detail, client creation, grants, invitations, access requests, audit log.
Dev setup
cd app-access-admin
npm install
npm run dev
Public Portal (app-access-public)
Public-facing portal for external users: magic-link invitation + MFA enrollment (TOTP, Passkeys, Email OTP backup), Cloudflare Turnstile bot protection on public endpoints, product access management, and session management.
| Repo | eigenoid/app-access-public |
| Stack | React 19, Tailwind CSS 4, Vite |
| Deploy | Cloudflare Workers Builds |
Backend API (svc-access)
REST API that implements all access management business logic, persistence, and external provisioning.
| Repo | eigenoid/svc-access |
| Stack | Go 1.26, Chi v5, GORM, PostgreSQL (Cloud SQL) |
| Deploy | Cloud Run (distroless container) |
The API manages these domain models: clients, access grants, access requests, invitations, magic links, admin users, sessions, service account keys, resource types, download tokens, audit logs, totp_devices, passkeys, and session_states.
It integrates with Cloudflare Access for policy enforcement and Google IAM for service account provisioning, with webhook support for external event processing.
Dev setup
cd svc-access
# Set up the database
export DATABASE_URL="postgres://user:pass@localhost:5432/access?sslmode=disable"
# Run the public binary (client-facing routes)
go run ./cmd/public
# Run the admin binary (admin portal routes)
go run ./cmd/admin
# Run tests
go test ./...
Block Page (app-block-page)
Static page shown to users denied by Cloudflare Access policies. Served from Cloudflare Pages at https://block.eigenoid.services.
| Repo | eigenoid/app-block-page |
| Stack | Plain HTML, CSS, ES modules (three.js for background) |
| Deploy | Cloudflare Pages (auto-deploy from main) |
No build step. Respects prefers-reduced-motion. Also hosts public branding assets (logos, wordmarks) reachable without authentication.
Local preview
cd app-block-page
npx --yes serve .
Infrastructure (iac-access)
Terraform infrastructure for the entire access management stack, managed by Terraflow.
| Repo | eigenoid/iac-access |
| Stack | Terraform 1.14, GCP |
| Pipeline | Terraflow (eigenoid/platform-actions) |
Layers
| Layer | Resources |
|---|---|
foundation | Cloud SQL, Pub/Sub, Secret Manager, Artifact Registry, service accounts, Workload Identity Federation, Cloudflare Turnstile widget |
service | Cloud Run (admin + public), IAM bindings, Pub/Sub subscriptions, Cloud Scheduler |
public-portal | Cloudflare Worker and custom domain for the public portal |
Environments
| Env | GCP Project | Auto-deploy |
|---|---|---|
| dev | eigenoid-dev | Yes |
| qa | eigenoid-qa | No (approval required) |
| prd | eigenoid-prd | No (approval required) |
Workflow
# Push a branch and open a PR -- CI runs terraform plan automatically
# To apply:
# Comment /terraflow apply on the PR