Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.alterauth.com/llms.txt

Use this file to discover all available pages before exploring further.

Auto-Detected Providers

Alter Vault automatically detects the following identity providers from the OIDC issuer URL and configures claim mappings:
ProviderUser ID ClaimGroup ClaimWebhooks
Auth0subCustom actionYes
Clerksuborg_roleYes
Both providers deliver real-time user lifecycle events via webhooks. When a user is removed from the organization, Alter Vault revokes their OAuth grants and deletes their stored tokens within seconds.

Custom OIDC Providers

Any OIDC-compliant identity provider works with Alter Vault. When a provider isn’t auto-detected, Alter Vault defaults to:
  • User ID claim: sub (the OIDC standard subject identifier)
  • Group claim: None (configure manually in the Developer Portal)
  • Sync: JWT lazy sync only (no webhook-based deprovisioning)
The user ID claim, group claim, and role claim can be overridden in the Developer Portal when adding the identity provider.
What gets auto-detected: When an identity provider is added, Alter Vault performs OIDC discovery on the issuer URL and automatically detects the IDP type, recommended claims, and available sync capabilities. The Discover button previews this before saving.
Claim mappings lock after first user sign-in. Once a user authenticates through the identity provider, the user ID claim, group claim, and role claim become immutable. If the IDP requires custom configuration to include group or role claims (e.g., Auth0 requires a custom Action), leave these fields empty during setup and configure them before the first user signs in.

Provider Capabilities

Webhook Listeners

Both supported providers use webhooks for real-time user lifecycle events:
  • Clerkuser.updated, user.deleted, organization.membership.deleted events via Svix signatures
  • Auth0 — Log Streams filtered to sdu (user deleted by admin), ublkdu (user blocked by admin), and ubuu (user unblocked by admin) events
Enable webhooks in the Developer Portal to generate a signing secret, then configure the identity provider to send events to the provided webhook URL.

JWT Lazy Sync

All OIDC providers support JWT lazy sync automatically. When the application passes a JWT to Alter Vault:
  1. User identity is resolved from the configured claim (default: sub)
  2. Group memberships are synced from the group claim (if configured)
  3. User profile (email, display name) is updated from standard OIDC claims
No additional configuration required beyond adding the identity provider.

Enterprise SSO (Okta, Entra ID, SAML)

Customers who need to connect enterprise identity providers — Okta, Microsoft Entra ID, Ping, OneLogin, JumpCloud, Google Workspace SAML — should broker through Auth0 or Clerk rather than connecting those IDPs directly to Alter Vault. Both Auth0 and Clerk support enterprise connections as a first-class feature, and the webhook lifecycle events Alter Vault relies on are emitted by Auth0/Clerk regardless of which upstream IDP the end user signed in with.

Requesting a New Provider

For support requests covering a specific identity provider not handled by Auth0 or Clerk, contact [email protected].