REST API for user object operations

At its core, Thunder is a REST API that provides endpoints to manage user accounts and information. Your frontend application can use Thunder to create, retrieve, update, and delete user accounts. All of the user information is stored in a database that Thunder interfaces with.

Multiple Database Providers

Thunder provides implementations for multiple database providers so that you can use the database of your choice. Currently, Thunder supports Amazon DynamoDB and MongoDB, with support for additional providers coming in the near future. See Database for more information on configuring a specific database provider.

Email Verification

Thunder provides functionality to send verification emails and keep email verification state. POST requests to /verify will send a verification email with a verification URL. GET requests to /verify will mark the email address as verified. Finally, applications can also reset the verification status of a user’s email address for any reason at /verify/reset.


Thunder currently relies on Simple Email Service (SES) to send emails, so an AWS account is required if email verification is enabled for your instance of Thunder.

Server-Side Password Hashing

Thunder can perform server-side password hashing of user passwords. By default in version 2.0+, Thunder will not hash any user passwords. However, you can enable this in your configuration, and additionally specify the hashing algorithm to be used. See User Password Hashing for more information on the configuration options.

Secrets Fetching

Thunder is able to fetch values defined in your configuration file from a secrets provider. This is particularly useful for configuration such as a MongoDB connection string, or the secret key used to validate HMAC-SHA signed JWT tokens. See Configuration Secrets for more information.

Basic Authentication or OAuth 2.0

Thunder requires authentication from clients when making requests to the API. This authentication can be configured to be either basic authentication (with a user-defined list of allowed username/password combinations), or OAuth 2.0 authentication. When using OAuth 2.0, you must have a separate service that will supply OAuth JWT tokens, which clients will then send to Thunder in the Authorization header. Thunder will verify that the JWT tokens it receives are valid and that they contain the right claims specified by the user in the configuration file. See Authentication for more information.

Additional User Properties

Thunder always requires that your user objects contain an email address and a password. However, you can include any additional number of properties in your user objects. By default, additional user properties are flexible and Thunder will not perform any validation of these properties. For example, you can create two users like the following:

User 1

  "email": "sampleuser@sanctionco.com",
  "password": "hunter2",
  "appId": 1234567890

User 2

  "email": "seconduser@sanctionco.com",
  "password": "hunter3",
  "appId": 1234567890,
  "additionalProperty": "So many properties!"

and Thunder will accept both.

You can also configure Thunder to perform validation on these properties to ensure that all users have the same properties and that they are the correct type (String, Integer, Double, etc). See Property Validation for more information on the configuration options.

Customizable Email Contents

The contents of verification emails can be completely customized. See Email for more information on the configuration options.

Customizable Verification Success Page

The success page that is shown to the end-user when their email is successfully verified can be customized. See Email for more information on the configuration options.

Generated OpenAPI (Swagger) Specifications

Thunder offers generated OpenAPI documentation that is available at the /openapi.yaml or /openapi.json endpoints. This generated documentation can be used to automatically generate client libraries that are supported by the openapi-generator. Additionally, Thunder runs Swagger UI at the /swagger endpoint. You can use the UI to view all of the available endpoints as well as to make requests against the API.

Official Docker Image

Thunder provides an official Docker image so that your instance of Thunder can be easily run in a container environment. There is also documentation on how to run Thunder in Kubernetes.

Client Libraries

Thunder provides client libraries for easy communication between your application and your instance of Thunder. See Client Libraries for more information on the client libraries.