Open Source · MIT · v0.1 Beta

Auth, policy, observability.
One import.

Drop-in auth, fine-grained Rego policy, distributed tracing, and multi-tenancy — in Rust, Python, Go, TypeScript, and Java. No infrastructure to run.

Start in 5 minutes View on GitHub

Rustcargo add coresdk-engine

Pythonpip install coresdk

Nodenpm i @coresdk/sdk

Gogo get github.com/coresdk-dev/sdk-go

01	from coresdk import CoreSDKClient, SDKConfig
02	from coresdk.middleware.fastapi import CoreSDKMiddleware
03	from coresdk.tracing.decorator import trace
04	from fastapi import FastAPI, Request
05
06	sdk = CoreSDKClient(SDKConfig.from_env())
07	app = FastAPI()
08	app.add_middleware(CoreSDKMiddleware, sdk=sdk)
09
10	@app.get("/api/orders")
11	@trace(intent="list-orders")
12	async def list_orders(request: Request):
13	user = request.state.coresdk_user
14	# user verified, policy checked, span started
15	return await db.orders.for_user(user["sub"])

full auth + policy + tracing · pick your language

JWT Auth

Rego Policy

OTEL Traces

Multi-Tenancy

RFC 9457 Errors

Audit Logs

Rate Limiting

SCIM

SAML SSO

PII Masking

Feature Flags

mTLS

JWT Auth

Rego Policy

OTEL Traces

Multi-Tenancy

RFC 9457 Errors

Audit Logs

Rate Limiting

SCIM

SAML SSO

PII Masking

Feature Flags

mTLS

Architecture

Three layers. Zero ops.

Embedded library, optional sidecar, hosted cloud — same API, same policy, same traces.

Library

Zero-overhead embed

Import CoreSDK into any service. The engine runs in-process — no network hop, no sidecar. Sub-millisecond auth and policy decisions.

$ cargo add core-sdk
  Updating crates.io index
   Adding core-sdk v0.1▌

Sidecar

Language-agnostic proxy

Deploy as a sidecar in your pod. Any language, any framework — mTLS, policy enforcement, trace collection without touching app code.

  ┌──────────┐       ┌──────────────┐
  │  SDK App │──────▶│   Sidecar    │
  └──────────┘  mTLS └──────┬───────┘
                             │ gRPC
                    ┌────────▼───────┐
                    │ Control Plane  │
                    └────────────────┘

Cloud

Managed control plane

Connect to CoreSDK Cloud for centralized policy management, audit log streaming, tenant dashboards, and SLA-backed uptime.

50ms

p99 latency

99.99%

uptime SLA

45+

features

languages

Features

Everything you'd build yourself.

Production-grade primitives, composable by design.

Auth

JWT & OAuth 2.0

RS256/ES256 verification, JWKS rotation, opaque token introspection, session revocation. Works with any IdP.

RBAC + ABAC

Role-based and attribute-based access control out of the box. Extend with custom Rego rules.

middleware

app.add_middleware(
  CoreSDKMiddleware,
  sdk=CoreSDKClient(
    SDKConfig(
      sidecar_addr="[::1]:50051",
      tenant_id=get_tenant(req),
    )
  )
)

Policy

Rego Policy Engine

OPA-compatible Rego policies. Hot-reload without restart. Decisions logged to immutable audit trail.

Policy

Audit Log

Every auth decision, policy evaluation, and admin action timestamped and streamed to S3 or your SIEM.

Observability

OTEL Native

Automatic span creation, baggage propagation, exemplar linking. Works with Jaeger, Tempo, Datadog.

Multi-Tenancy

Tenant Isolation

Hard data isolation per tenant. Each tenant gets its own policy namespace, audit stream, and rate limits.

RFC 9457 Errors

Every error includes type, title, detail, trace_id, and tenant. No custom mapping in your app code.

403 problem+json

{
  "type": "policy-denied",
  "status": 403,
  "detail": "orders:read denied",
  "trace_id": "01HX7KQM…",
  "tenant": "acme"
}

Observability

Structured Logs

Every request emits structured JSON logs with trace IDs, user context, and policy outcomes.

Policy Engine

Write policy in Rego.
Ship it in seconds.

CoreSDK embeds a full OPA-compatible Rego evaluator. Write policy as code, version it in git, push it — running services pick it up without a restart. Every evaluation is logged.

Hot-reload via policy API — zero downtime
Full OPA compatibility — import existing policies
Every decision written to immutable audit log
Simulation mode — test policy before enforcing

Learn more

policy.rego

# Rego policy — orders:read
package coresdk.authz

default allow = false

allow {
    input.action == "orders:read"
    input.user.role == "member"
    input.resource.tenant == input.user.tenant
}

allow {
    input.user.role == "admin"
}

$ core trace tail --tenant acme

$ core trace tail --tenant acme

  ┌─ POST /api/orders  200  12ms
  │  auth    ✓ jwt verified (sub=usr_2xK9)
  │  policy  ✓ orders:write allowed (role=member)
  │  db      ✓ INSERT orders (id=ord_7mP3)
  └─ span_id: 01HX7... tenant: acme

  ┌─ GET /api/orders/ord_bad  403  2ms
  │  auth    ✓ jwt verified (sub=usr_4nR1)
  │  policy  ✗ orders:read denied (cross-tenant)
  └─ span_id: 01HX8... tenant: acme

Observability

See every auth decision
in real time.

Every request gets a trace span with auth outcome, policy decision, and tenant context — automatically. No instrumentation code required.

Zero-config OTEL integration
Auth + policy outcome embedded in every span
core trace tail for live request debugging
Anomaly alerts on policy violation spikes

Learn more

Developer Experience

Errors developers
can actually use.

Every error follows RFC 9457 — machine-readable type URIs, human-readable detail, trace ID, and tenant context. Frontend engineers stop filing tickets.

RFC 9457 problem+json on every error response
trace_id links the error directly to its span
Policy outcome and tenant embedded in 403s
No custom error mapping in your app code

Learn more

response.json403

{
  "type": "https://coresdk.dev/errors/policy-denied",
  "title": "Authorization Denied",
  "status": 403,
  "detail": "Action 'orders:read' denied for role 'guest'",
  "instance": "/api/orders/ord_7mP3",
  "trace_id": "01HX7KQMB4NWE9P6T2JS0RY3ZV",
  "tenant": "acme",
  "policy": "coresdk.authz",
  "timestamp": "2026-03-19T14:22:01Z"
}

Why CoreSDK

Why not stitch it yourself?

Stop stitching together 4 tools. Ship the integrated version.

Feature	CoreSDKRecommended	Auth0	OPA	Envoy+OPA
JWT / OAuth 2.0 auth	Yes	Yes	—	Partial
Rego policy engine	Yes	—	Yes	Partial
Distributed tracing	Yes	—	—	Yes
Multi-tenancy isolation	Yes	Partial	—	—
Embedded (no sidecar)	Yes	—	Partial	—
RFC 9457 errors	Yes	—	—	—
OTEL native	Yes	—	—	Yes
Audit log stream	Yes	Partial	—	Partial
Single import / SDK	Yes	—	—	—

CoreSDK = Auth0 + OPA + Envoy + custom glue, pre-integrated.

Production-ready

Built for regulated industries.

Sub-ms overhead

Rust core adds <0.3ms per request. No GC pauses, no JVM warmup. Your p99 stays flat.

Zero-trust ready

mTLS, workload identity, and service-to-service auth — composable from the same SDK.

SOC 2 helpers

Immutable audit log, data residency controls, and encryption-at-rest for every tenant.

Full audit trail

Every auth decision and policy evaluation written to tamper-evident log. SIEM-ready.

Multi-region

Policy engine runs in-process wherever your service runs. No cross-region latency.

Open core

Core library is MIT licensed. No vendor lock-in. Migrate away any time.

Enterprise

Need self-hosted, custom SLAs, or HIPAA/FedRAMP?

We work with regulated industries and large engineering teams. Self-hosted control plane, dedicated support, compliance documentation, and custom integrations available.

Talk to us Architecture docs

Ship auth in 5 minutes.

One import in any language. Auth, policy, and observability wired up before your next standup.

Read the quickstart Star on GitHub

Auth, policy, observability.One import.

Three layers. Zero ops.

Everything you'd build yourself.

JWT & OAuth 2.0

RBAC + ABAC

Rego Policy Engine

Audit Log

OTEL Native

Tenant Isolation

RFC 9457 Errors

Structured Logs

Write policy in Rego.Ship it in seconds.

See every auth decisionin real time.

Errors developerscan actually use.

Why not stitch it yourself?

Built for regulated industries.

Need self-hosted, custom SLAs, or HIPAA/FedRAMP?

Ship auth in 5 minutes.

Auth, policy, observability.
One import.

Write policy in Rego.
Ship it in seconds.

See every auth decision
in real time.

Errors developers
can actually use.