Identity & Access Management

Secure Authentication & Authorization for Modern Applications

A flexible IAM platform designed for internal systems — with multi-tenant support, fine-grained RBAC, and OAuth 2.1 built in.

Get StartedCreate Account
OAuth 2.1 / OIDCMulti-TenantFine-Grained RBACJWT + Refresh Tokens
IAM Admin · Users
Members3 users
A

Alice Chen

alice@corp.com

superadmin
B

Bob Smith

bob@corp.com

admin
C

Carol White

carol@corp.com

guest

Active Permissions

patients:readreports:createusers:manage
Platform Features

Everything you need in one platform

Purpose-built for internal systems that require reliable, scalable identity management.

Multi-Tenant Architecture
Manage multiple organizations and teams with isolated namespaces, memberships, and permission scopes.
Fine-Grained RBAC
Define roles with granular permission sets. DENY always overrides ALLOW for predictable access control.
OAuth 2.1 & OIDC
Act as a full OAuth 2.1 authorization server. Issue access, refresh, and ID tokens for connected apps.
Developer-Friendly APIs
Type-safe server actions, a clean client SDK, and an auto-generated OpenAPI spec for seamless integration.
Token Management
JWT with configurable expiry, refresh token rotation, API keys, and token revocation built in.
Session & Audit
Database-backed sessions with cookie caching, two-factor authentication, and audit trail hooks.
How It Works

Simple flow, powerful control

Three phases that take a user from identity to authorized action.

01
Authenticate Users
Support email/password, social OAuth (GitHub, Google), magic links, and two-factor OTP authentication.
  • Email & Password
  • OAuth Providers
  • Magic Links
  • 2FA / OTP
02
Assign Roles & Permissions
Create roles with fine-grained permissions scoped to organizations and teams. Supports role inheritance.
  • Custom role definitions
  • Permission inheritance
  • Team-level scoping
  • Dynamic access control
03
Enforce Access Control
Validate permissions on every request. The resolver computes effective permissions with DENY precedence.
  • Per-request validation
  • DENY overrides ALLOW
  • Cached permission sets
  • API key enforcement
Developer Experience

Integrate in minutes, not days

Type-safe server actions, a clean client SDK, and a permission resolver that gives you the full picture — allowed, denied, and effective permissions in one call.

  • ZSA server actions with full TypeScript type safety
  • Clean Architecture — use cases, controllers, services
  • Permission caching with 60 s TTL and automatic invalidation
  • Auto-generated OpenAPI spec via Better Auth plugin
auth-usage.ts
import { authClient } from "@/modules/client/auth/auth-client";

// Authenticate
const { data: session } = await authClient.signIn.email({
  email: "user@example.com",
  password: "••••••••",
});

// Resolve effective permissions
const result = await resolvePermissionsAction({
  userId: session.user.id,
  organizationId: "org_01HV...",
});
// {
//   allow: ["patients:read", "reports:create"],
//   deny:  ["patients:delete"],
//   final: ["patients:read", "reports:create"]
// }

// Enforce in a server action or API route
await requirePermission("patients:read", organizationId);
Use Cases

Built for real-world systems

From small internal tools to large enterprise platforms.

Internal Admin Dashboards

Gate every admin route and server action behind role checks. Superadmin, admin, and guest roles configured out of the box.

Enterprise Applications

Manage hundreds of users across isolated tenants with per-org roles, teams, and permission inheritance.

Multi-Tenant Systems

Each organization gets its own role hierarchy and permission set. Members are scoped to their tenant namespace.

Platform-Level Access Control

Issue OAuth 2.1 tokens for service-to-service communication. Enforce scopes and audiences consistently.

Security & Reliability

Secure by design

Every layer of the platform is designed with security and predictability in mind.

Token Rotation

Automatic refresh token rotation with configurable TTL and instant revocation support.

Role Enforcement

Server-side permission checks on every protected action and route via ZSA procedures.

Persistent Sessions

Database-backed sessions with 60 s cookie caching for performance without sacrificing accuracy.

Audit Support

Track authentication events and permission changes with database hooks and middleware.

Scalable Architecture

Clean Architecture with DI container. Swap infrastructure adapters without touching business logic.

Multi-Factor Auth

Email OTP 2FA and magic link authentication available for sensitive admin operations.

Start integrating IAM into your applications

Your authentication and authorization infrastructure, ready to use.

Access PlatformCreate Account