Authentication, roles, organizations, and a full OAuth2 / OpenID Connect provider. Everything you need to manage who can access what.
Platform
Standards-compliant authorization code flow with PKCE, client credentials grants, refresh token rotation, and full OIDC discovery. JWT or opaque tokens — your choice.
Define fine-grained permissions with a simple
resource:action
format. Compose them into roles and assign to users at the environment
or organization level.
Multi-org support out of the box. Memberships, org-level roles, and email invitations with expiry. Organization context flows into tokens as claims.
Separate test and production data completely. Each environment gets its own subdomain, users, API clients, and signing keys. Ship with confidence.
A full JSON:API for every resource — users, roles, clients, scopes, signing keys, organizations, and more. Automate everything or build your own dashboard.
Every action is logged with the actor, targets, and field-level changes. Know exactly who did what and when — built in from day one.
PKCE
S256 code challenge for public clients. Secure auth flows in SPAs, mobile apps, and CLIs.
Token Introspection
RFC 7662 endpoint for validating tokens without parsing JWTs yourself.
Key Rotation
RSA 4096-bit signing keys with JWKS. Rotate keys without breaking existing tokens.
Rate Limiting
Built-in per-IP rate limiting on auth and token endpoints. Configurable thresholds.
Argon2 Passwords
Memory-hard password hashing with timing-safe verification. No shortcuts on security.
Consent Management
Per-user, per-client consent grants. First-party apps skip the consent screen.
Custom Scopes
Define scopes with claim mappings per environment. Standard OIDC scopes included.
Dashboard
Manage users, roles, clients, keys, and organizations from a built-in admin UI.