Casdoor
Last verified 2026-06-02 · Reviewed by guptadeepak
Editorial verdict
Casdoor is the OSS CIAM with the strongest native authorization integration via Casbin (same maintainer), Apache 2.0 licensed and broad-featured. The trade-offs are dated DX, English-documentation rough edges, and a sprawling scope that spans CIAM plus adjacent domains. For teams that value Casbin authz tightly coupled to identity, or for China-region deployments where Casdoor has strong adoption, it is a credible OSS pick. For Western enterprise with strict compliance needs, look at Keycloak / FusionAuth / Zitadel instead.
Last verified by @guptadeepak on 2026-06-02.
At a glance
- Best for
- Teams that want OSS CIAM with strong native authorization (Casbin) without separate authz vendor
- Pricing
- free-open-source
- Free tier
- Unlimited
- Deployment
- self-hosted, cloud-saas
- SOC 2 Type II
- No
- Passkeys
- Native
- Self-host
- Yes
- Open source
- Yes
Funding & business
- Funding model
- Open-source / foundation
- Total raised
- None
- Latest round
- None disclosed
- Years in business
- 5 yrs
- Profitable
- Not disclosed
Open-source IAM from the Casbin community; no disclosed institutional funding.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Tight integration with Casbin (the authz library by the same maintainer), gives Casdoor strong authorization primitives uncommon in OSS CIAM.
- Apache 2.0 licensed self-hosted Community.
- Broad feature breadth, social providers, MFA, SSO, multi-tenancy, payment integrations.
- Active community across both Casdoor and Casbin projects, with strong China-region adoption.
Limitations
- DX trails Western OSS CIAM noticeably, admin UI is functional but dated, English documentation has rough edges.
- Compliance attestations are operator-earned; no platform-provided SOC 2 / ISO / HIPAA.
- No managed-cloud-with-major-region-presence outside the project's own Cloud offering.
- Sprawling feature set (the project includes payment and CMS integrations) makes the scope feel less focused than peers.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Partial |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | Yes |
| FGA engine | Yes |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | No |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, go, python, java, dotnet, php, rust |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | Casbin policy expressions + adapter pattern for storage |
| Bot detection | No |
|---|---|
| Breached password detection | No |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Partial |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | No |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | No |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | No |
|---|---|
| Preference center | No |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $100/mo |
|---|---|
| 100,000 MAU | $350/mo |
| 500,000 MAU | $1,200/mo |
| 1,000,000 MAU | $2,200/mo |
- Self-hosted Community is Apache 2.0, free at any scale
- Casdoor Cloud (managed) and Enterprise edition are commercial offerings
- Tight integration with Casbin (the authz library), both projects under same maintainer
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Teams that want OSS CIAM with strong native authorization (Casbin) without separate authz vendor
- China-region or Asia-Pacific deployments where Casdoor has strong regional adoption
- Developers comfortable with broad-scoped OSS projects
Not for
- Workloads requiring vendor-attested compliance (SOC 2, HIPAA, FedRAMP, PCI DSS)
- Teams preferring tightly-scoped CIAM products
- B2C consumer apps with serious adaptive risk needs
FAQ
- What is Casbin and how does it relate to Casdoor?
- Casbin is a popular open-source authorization library supporting RBAC, ABAC, and ACL policy models, by the same maintainer as Casdoor. Casdoor integrates Casbin natively for the authz layer, which gives it stronger fine-grained permissions than most OSS CIAM that ship only RBAC.
- Is Casdoor's documentation in English?
- Yes, but with rough edges, the project is China-originated and the English documentation lags the Chinese version in some places. For teams comfortable cross-referencing GitHub issues, this is workable; for teams expecting Auth0-grade docs, the gap is real.
- Should I pick Casdoor or Keycloak?
- Keycloak has the larger Western community and ecosystem, plus the Java-heavy enterprise tooling. Casdoor has stronger native authorization (Casbin) and Apache 2.0 licensing without commercial-use clauses. For integrated authn+authz from one OSS vendor, Casdoor; for largest Western community, Keycloak.
Sources
- Casdoor Documentationaccessed 2026-04-22
- Casdoor GitHubaccessed 2026-04-22
- Casdoor Pricingaccessed 2026-04-22
What Casdoor is
Casdoor launched in 2021 from the Casbin Authors team, the same maintainers behind Casbin, the popular open-source authorization library. The product is a self-hosted OSS CIAM under Apache 2.0, with Casbin natively integrated as the authz layer. The thesis: most OSS CIAM ships RBAC and stops, leaving teams to bolt on a separate authz library; Casdoor ships them together.
Where Casdoor wins
Native Casbin integration means strong authorization primitives, RBAC, ABAC, ReBAC, without a second vendor. Apache 2.0 licensing across the codebase. Broad feature breadth covering social login, MFA, SSO, multi-tenancy, and adjacent integrations. Active community with notable adoption in China and Asia-Pacific.
Where Casdoor hurts
DX trails Western OSS CIAM, admin UI is functional but dated, English documentation has rough edges, and the project's broad scope spans beyond CIAM into payments and CMS adjacencies. Compliance attestations are operator-earned. For Western enterprise with strict procurement requirements, the rough edges show.
How Casdoor compares
The closest comparisons are Keycloak vs Casdoor, Casdoor vs FusionAuth, and Authress vs Casdoor for the authn-plus-authz call. For modern Western OSS CIAM, Zitadel, Authentik, and Logto are the alternatives.
Editorial changelog (1 entry)
Routine profile review: capabilities, pricing, and editorial verdict re-verified.