Recipes
Copy-pasteable patterns for the Thoryn platform.
Quickstarts for every framework, OIDC client templates for the SaaS apps your customers use, federation templates for Okta / Entra ID / SAML, and ready-to-paste Policy Engine rules + Broker wallet profiles + Credential Issuer VCTs. Ship faster than the docs alone.
Browse
Six recipe categories
Pick the one that matches what you're integrating with.
Quickstarts
8 recipesShip Hub-backed SSO in 5 minutes — one guide per framework.
Browse
App connectors
12 recipesPre-configured OIDC client templates for the SaaS apps your customers use.
Browse
Federation
9 recipesTemplates for Okta, Entra ID, Google Workspace, SAML, and more.
Browse
Policy rules
12 recipesJSON rule trees for the authorization patterns we keep getting asked for.
Browse
Wallet profiles
6 recipesBroker wallet profiles + presentation definitions for common verification flows.
Browse
VCT templates
5 recipesCredential Issuer VCT templates with claim schemas + display metadata.
Browse
Library · 52 recipes
Latest recipes
Every recipe lives in the repo as MDX — readable, versioned, and reviewable like code.
- auth0-with-hub-upstream
auth0-with-hub-upstream
Add Thoryn Hub as a Custom OIDC connection in your existing Auth0 tenant
Customer keeps Auth0 as the user-facing IdP and adds Thoryn Hub as an upstream OIDC connection. The reverse of `auth0-as-source` — use it when migration is years away but EUDIW is needed today.
- auth0
- oidc
- idp
- hub-upstream
- okta-with-hub-upstream
okta-with-hub-upstream
Add Thoryn Hub as an OIDC IdP in your existing Okta tenant
Customer keeps Okta as the user-facing IdP and adds Thoryn Hub as an upstream OIDC identity provider — the EUDIW + verifiable-credential gateway behind the Okta login. The reverse of `okta`.
- okta
- oidc
- idp
- hub-upstream
- Wallet profiles
Wallet profiles
Age gate — only `age_over_18`
Wallet profile + presentation definition that requests only the derived `age_over_18` claim. Birth date never leaves the wallet.
- age-gate
- selective-disclosure
- gdpr
- Policy rules
Policy rules
Age-over-18 gate
A single derived-claim equality — the simplest possible Policy Engine rule. Use it for any flow that needs proof of majority without ever seeing the birth date.
- age-gate
- derived-claim
- gdpr
- Policy rules
Policy rules
Age-over-21 gate
Same shape as age-over-18, with the threshold raised. Use it for jurisdictions or product categories where 21 is the legal floor (US alcohol, some financial-services flows).
- age-gate
- derived-claim
- gdpr
- dotnet
dotnet
ASP.NET 8 — Hub login with `Microsoft.AspNetCore.Authentication.OpenIdConnect`
Wire OAuth2 / OIDC into an ASP.NET 8 app via the official OpenIdConnect handler. Five steps, ~20 lines of config.
- dotnet
- aspnet
- csharp
- oidc
- auth0-as-source
auth0-as-source
Auth0 as a Hub federation source — migration overlay
Federate Hub to an existing Auth0 tenant during a migration window. Customers stay logged in via Auth0; Hub takes over gradually.
- auth0
- oidc
- idp
- migration
- Wallet profiles
Wallet profiles
Bank customer — verified-customer credential
Wallet profile that accepts a "verified customer of bank X" credential — usable at partner services to skip re-KYC.
- bank
- kyc
- partner-onboarding
- VCT templates
VCT templates
Bank Customer Credential VCT
VCT template for a "verified customer of us" credential. Issued by a bank after KYC; consumed at partner services to skip re-KYC.
- bank
- kyc
- partner-onboarding
- App connectors
App connectors
Cloudflare Access — Thoryn as a generic OIDC IdP
Cloudflare Access protects internal apps with identity-aware proxies. Thoryn as the IdP gates access to anything Cloudflare fronts.
- cloudflare
- oidc
- infra
- Policy rules
Policy rules
Composite — admin OR (manager AND finance)
A nested rule combining `any`, `all`, and equality leaves. Demonstrates arbitrary nesting and short-circuit evaluation.
- gate
- role-based
- composite
- Policy rules
Policy rules
Consent-required gate
ALLOW only if the credential proves age AND the user has explicitly consented in the current session. Combines a credential claim with a non-credential session fact.
- gate
- consent
- gdpr
- VCT templates
VCT templates
Diploma Credential VCT
VCT template for a university-issued diploma. Long-lived (no expiry). Carries programme, degree, GPA, graduation date.
- education
- diploma
- university
- django
django
Django 5 — Hub login with `mozilla-django-oidc`
Wire OAuth2 / OIDC into a Django 5 app. Five steps, ~15 lines of settings.
- django
- python
- oidc
- Wallet profiles
Wallet profiles
Employer onboarding — multi-credential
Wallet profile that requests a Diploma, Tax ID, and Address credential in one round-trip. Use it for new-hire onboarding at scale.
- onboarding
- multi-credential
- employer
- VCT templates
VCT templates
Employment Credential VCT
VCT template for an employer-issued employment credential. Carries role, start date, employer, and optional security-clearance level.
- employment
- employer
- hr
- express
express
Express — Hub login with `openid-client`
Add OIDC to an Express 4 / 5 app using the official Node OIDC library. ~40 lines of code.
- express
- node
- oidc
- App connectors
App connectors
Figma — SAML SSO via Thoryn
Figma Enterprise SSO via SAML. Use Thoryn's SAML bridge for OIDC ↔ SAML translation.
- figma
- saml
- productivity
- generic-oidc
generic-oidc
Generic OIDC IdP as a Hub federation member
Catch-all template for federating Hub to any OIDC-conformant IdP — public-cloud providers, regional IdPs, internal identity stacks.
- oidc
- idp
- generic
- generic-saml
generic-saml
Generic SAML 2.0 IdP as a Hub federation member
Federate Hub to any SAML 2.0 IdP — long-tail enterprise IdPs, custom corporate identity providers, ADFS, etc.
- saml
- idp
- generic
- App connectors
App connectors
GitHub Enterprise Cloud — Thoryn as the OIDC IdP
Configure GitHub Enterprise Cloud (with EMU) to authenticate users via Thoryn-issued OIDC tokens.
- github
- oidc
- dev-tooling
- App connectors
App connectors
GitLab — Thoryn as a generic OIDC provider
GitLab self-managed or SaaS Premium+ can use Thoryn as an OAuth2 / OIDC IdP via the omniauth_openid_connect strategy.
- gitlab
- oidc
- dev-tooling
- google-workspace
google-workspace
Google Workspace as a Hub federation member
Federate Hub to a Google Workspace tenant. Common at small-mid SaaS customers.
- google-workspace
- oidc
- idp
- Wallet profiles
Wallet profiles
Government permit application — PID
Wallet profile for a municipal permit application. Requests PID with the four claims a clerk needs to pre-fill the form.
- government
- pid
- permit
- VCT templates
VCT templates
Healthcare Licence VCT
VCT template for a national healthcare licensing board. Carries practitioner type, licence number, valid_until, and optional specialisation.
- healthcare
- professional-license
- regulatory
- Wallet profiles
Wallet profiles
Healthcare practitioner licence
Wallet profile for credential-gated platform access. Request a HealthcarePractitionerLicense with licence_number + valid_until.
- healthcare
- professional-license
- regulatory
- App connectors
App connectors
HubSpot — SAML SSO via Thoryn
HubSpot Enterprise SSO. SAML 2.0 only; use Thoryn's SAML bridge.
- hubspot
- saml
- sales
- App connectors
App connectors
Intercom — SAML SSO via Thoryn
Intercom Premium SSO via SAML. Use Thoryn's SAML bridge.
- intercom
- saml
- support
- keycloak
keycloak
Keycloak as a Hub federation member
Self-hosted shops federate their Keycloak realm into Hub via standard OIDC. Common at developer-heavy customers and EU public-sector orgs.
- keycloak
- oidc
- idp
- self-hosted
- Wallet profiles
Wallet profiles
KYC — full PID presentation
Wallet profile + presentation definition for remote KYC. Requires a member-state PID with given_name, family_name, date_of_birth, nationality.
- kyc
- pid
- eidas
- App connectors
App connectors
Linear — SAML SSO via Thoryn
Linear Enterprise SSO via SAML. Use Thoryn's SAML-bridge federation member for OIDC ↔ SAML translation.
- linear
- saml
- productivity
- Policy rules
Policy rules
MFA required for privileged actions
ALLOW only if MFA was completed in the current session AND the OIDC `acr` value indicates a sufficient assurance level. Use it as a step-up gate before any high-risk action.
- gate
- step-up
- mfa
- entra-id
entra-id
Microsoft Entra ID (Azure AD) as a Hub federation member
Federate Hub to an Entra ID tenant. Most-common enterprise scenario in DACH and the UK.
- entra-id
- azure-ad
- oidc
- idp
- Policy rules
Policy rules
Multi-credential issuer requirement
ALLOW only if both a Diploma and a Tax ID credential are present, each from an authorised issuer. Use it for high-stakes onboarding (employer, regulated finance) where one credential isn't enough.
- multi-credential
- gate
- onboarding
- next-js
next-js
Next.js — Hub-backed SSO in 5 minutes
Add OAuth 2.0 / OIDC login to a Next.js 15 App Router app via Hub. Five steps, ~30 lines of code.
- next-js
- react
- oidc
- app-router
- App connectors
App connectors
Notion — SAML SSO via Thoryn
Notion Enterprise SSO. Notion supports SAML only (no OIDC); the recipe uses Thoryn's SAML-bridge flow.
- notion
- saml
- productivity
- okta
okta
Okta as a Hub federation member (OIDC)
Federate Hub to an Okta tenant. Okta authenticates the user; Hub issues the OAuth2 / OIDC tokens to your relying parties.
- okta
- oidc
- idp
- VCT templates
VCT templates
PID Credential VCT
VCT template for a member-state PID credential. Claim schema for the four eIDAS-mandated identity attributes plus optional address.
- pid
- eidas
- government
- rails
rails
Rails 7 — Hub login with `omniauth-openid_connect`
Wire OAuth2 / OIDC into a Rails 7 app via OmniAuth. Five steps, ~25 lines of config.
- rails
- ruby
- oidc
- react-spa
react-spa
React SPA — Hub login with `oidc-client-ts`
Wire OAuth2 / OIDC into a React 19 + Vite SPA using the standard browser library. Auth code with PKCE, no client secret.
- react
- vite
- oidc
- spa
- Policy rules
Policy rules
Regional gate — EU only
ALLOW only if `country_code` is one of the 27 EU member states. Use it for services that must enforce EU residency at the protocol level.
- regional
- gate
- gdpr
- Policy rules
Policy rules
Regional gate — explicit allow-list
ALLOW only if `country_code` is in your customer-defined allow-list. The flexible variant of `regional-eu-only` — same shape, you control the list.
- regional
- gate
- Policy rules
Policy rules
Revocation — active and fresh
ALLOW only if the credential is active AND its `valid_until` is in the future. Defends against credentials that aren't revoked yet but are stale.
- revocation
- gate
- freshness
- Policy rules
Policy rules
Role gate — admin only
A single equality on the `role` claim. Allow only credentials whose role is `admin`. The simplest role-based access control you can do.
- gate
- role-based
- Policy rules
Policy rules
Role gate — admin or manager
ALLOW if `role` is in the configured list. Combines `any` over multiple equality leaves — short-circuits on the first match.
- gate
- role-based
- App connectors
App connectors
Salesforce — use Thoryn as an OpenID Connect Auth Provider
Configure Salesforce to accept Thoryn-issued OIDC tokens. Works with Sales Cloud, Service Cloud, Experience Cloud.
- salesforce
- oidc
- crm
- App connectors
App connectors
Slack — use Thoryn as the OIDC IdP
Pre-configured OIDC client for Slack. Customer pastes client_id/secret into Hub admin; Slack's custom IdP setup is filled in by claim.
- slack
- oidc
- communication
- spring-boot
spring-boot
Spring Boot 3 — Hub login with Spring Security OAuth2
Add OAuth 2.0 / OIDC to a Spring Boot 3 web app via Spring Security 6's OAuth2 client. Five steps, ~10 lines of YAML.
- spring-boot
- java
- kotlin
- oauth2
- App connectors
App connectors
Stripe Dashboard — SSO via Thoryn (SAML)
Stripe Dashboard SSO. Stripe supports SAML 2.0 only; OIDC is not exposed for Dashboard auth.
- stripe
- saml
- finance
- Policy rules
Policy rules
Time gate — business hours only
ALLOW only on weekdays between 09:00 and 18:00 local time. Use it for back-office systems that should be unreachable outside business hours.
- time-based
- gate
- vue
vue
Vue 3 — Hub login with `oidc-client-ts`
Wire OAuth2 / OIDC into a Vue 3 + Vite app. Auth code with PKCE, composable for the rest of the app.
- vue
- vite
- oidc
- spa
- App connectors
App connectors
Zoom — Thoryn as an OAuth 2.0 IdP
Zoom Enterprise SSO via Thoryn. Workspace Admin pastes client credentials; users SSO into Zoom Web + Desktop + Mobile.
- zoom
- oidc
- communication