midnightcore.com

What It Is

Midnight Core positions itself as a provider of “Operational Software Products,” emphasizing independently operated software rather than consulting or custom development projects. According to its website, the company is based in Paris · Europe. Its product lineup includes Passport v1.0, which is already available, and Alembic v0, which has not yet been released. At present, the only core product that can really be evaluated is Passport: a centralized OAuth 2.1 / OIDC identity provider intended to enable one account to work across all products in the Midnight Core ecosystem.

Core Features and Technical Capabilities

Passport is clearly aimed at developers and platform teams. It supports OAuth authorization flows such as Authorization Code + PKCE, Client Credentials, and Refresh Token, and is compatible with OIDC, offering the openid scope, a UserInfo endpoint, and id_token. Access tokens are JWT-based, and a JWKS endpoint is provided for local validation without network calls. On the API Key side, the documentation mentions audience-scoped metadata and prefix-based routing, which are useful for service-to-service calls, isolating different API audiences, and key routing. On the administration side, it provides endpoints for OAuth client management and key rotation, and also mentions dynamic OAuth client registration.

Pricing, Deployment, and Security

The website does not disclose plans, pricing, a free tier, trial availability, or payment methods, nor does it clarify whether the product is cloud-only, self-hosted, or available in a hybrid deployment model. In terms of security, the verifiable information mainly focuses on protocols and key mechanisms: OAuth 2.1, OIDC, JWKS, local validation, API Key scoping, and key rotation. However, there are no visible compliance or enterprise security statements such as SOC 2, ISO 27001, GDPR, audit logs, or enterprise SSO policies.

Pros and Cons

The strengths are clear product boundaries, Passport’s foundation on mature open standards, and developer-friendly integration. JWT + JWKS and audience-scoped API Keys are also practical for modern API architectures. The downside is that the publicly available information still feels early-stage: support channels, SLA, team permissions, customer references, and deployment options are all unspecified. Alembic is only listed as Coming soon, so its ERP capabilities cannot yet be verified.

Who It’s For and Access from China

It is better suited to technical teams building a multi-product account system and needing an OAuth/OIDC identity layer plus API Key management. If an organization requires mature IAM compliance assurances, console-level permissions, audit capabilities, and localized support, it should still evaluate carefully. Access from China is unknown, and payment methods have not been disclosed. Possible alternatives include Auth0, Okta, Keycloak, FusionAuth, WorkOS, and Clerk; for ERP use cases, it can be compared with ERPNext, Odoo, NetSuite, and others.