Technical Architecture

A single Rust binary, one PostgreSQL database, no external services. Every architectural decision follows from one constraint: minimize what you cannot control.

System Architecture

ZenoAuth system architecture: clients connect to a single Rust API binary backed by PostgreSQL

One service, one database, complete control.

See Deployment Architecture →

Zero-Dependency Philosophy

You cannot control external dependencies breaking. You can control eliminating them entirely.

  • PostgreSQL: only external dependency
  • No Redis, no message queues
  • Built-in caching with TTL support
  • Self-contained session management

The Gateway Pattern

A single, secure entry point that connects diverse identities under unified policy control.

  • Central authentication gateway
  • Multiple identity providers
  • Federation without complexity
  • Single point of security control

Performance by Design

Rust's memory safety with zero-cost abstractions and predictable, GC-free performance.

  • 47ms average authentication
  • 15,000+ operations/sec throughput
  • Sub-10ms token validation
  • ~50 MB memory footprint

Security Architecture

Cryptographic Foundation

Modern Cryptography
# JWT Signatures Algorithm: Ed25519 Key Size: 256 bits Performance: ~64,000 signatures/sec # Password Hashing Algorithm: Argon2id Memory: 65536 KB Iterations: 3 Parallelism: 4 # TLS Configuration Version: TLS 1.3 Ciphers: ChaCha20-Poly1305, AES-256-GCM HSTS: max-age=31536000

Zero-Trust Pipeline

Authentication Pipeline

  1. Request Validation — Schema, rate limits, origin
  2. Identity Verification — Credentials, MFA, device trust
  3. Authorization Check — Scopes, permissions, policies
  4. Token Generation — Ed25519 signing, claims validation
  5. Session Creation — Secure storage, expiry management
  6. Audit Logging — Event correlation, anomaly detection

Database Architecture

Core Schema Design
-- Multi-tenant Organizations CREATE TABLE organizations ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), name VARCHAR(255) NOT NULL, slug VARCHAR(100) UNIQUE NOT NULL, settings JSONB DEFAULT '{}', created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW() ); -- Users with Flexible Attributes CREATE TABLE users ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), organization_id UUID NOT NULL REFERENCES organizations(id), email VARCHAR(255) NOT NULL, password_hash VARCHAR(255), profile JSONB DEFAULT '{}', is_active BOOLEAN DEFAULT true, created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW() ); -- OAuth Applications CREATE TABLE applications ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), organization_id UUID NOT NULL REFERENCES organizations(id), client_id VARCHAR(255) UNIQUE NOT NULL, client_secret_hash VARCHAR(255), redirect_uris TEXT[], allowed_scopes TEXT[], settings JSONB DEFAULT '{}' ); -- Session Management CREATE TABLE sessions ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), user_id UUID NOT NULL REFERENCES users(id), session_token VARCHAR(255) UNIQUE NOT NULL, expires_at TIMESTAMP WITH TIME ZONE NOT NULL, metadata JSONB DEFAULT '{}' );

JSONB Flexibility

Dynamic user profiles, application settings, and audit metadata without schema migrations.

UUID Everywhere

Globally unique identifiers prevent ID enumeration attacks and enable distributed systems.

Built-in Indexing

GIN indexes on JSONB, composite indexes on query patterns, and full-text search ready.

Performance Profile

Response Times (P95)

Authentication 47ms avg
Token Validation < 8ms
SSO Integration < 120ms
Database Query < 15ms

Throughput

Concurrent Users 10,000+
Operations/Second 15,000+
Memory Usage ~50 MB
CPU (Idle) < 3%

Scalability

Horizontal Scaling Stateless
Read Replicas Supported
Connection Pooling Built-in
Cache Hit Rate 90%+

Implementation Philosophy

The Rust Advantage

Memory safety without garbage collection, zero-cost abstractions with predictable performance.

Core Technologies
# Web Framework Axum: Modern async HTTP framework Tower: Middleware and service abstractions Hyper: High-performance HTTP implementation # Database SQLx: Compile-time checked queries Connection pooling: bb8 + SQLx Migrations: Embedded and versioned # Security Ed25519: ed25519-dalek crate Argon2: argon2 crate (PHC standard) JWT: jsonwebtoken + custom validation

Design Principles

Stoic Engineering

  • Control Dependencies: Minimize what cannot be controlled
  • Logical Design: Every decision based on first principles
  • Predictable Behavior: No surprises, clear failure modes
  • Rational Security: Security through logic, not obscurity
  • Gateway Focus: One service, one purpose, complete control

"The Logic of Access"

Zeno taught that virtue comes from living according to nature and reason. ZenoAuth applies this to authentication: natural simplicity, reasonable security, logical architecture.