Identity for humans, agents, and machines

Auth for the AI era.
Humans, agents, and machines.

One identity model for everyone calling your product — humans logging in, agents acting on their behalf, and services authenticating with mTLS or M2M tokens. Same SDK, same audit, same policy engine.

Talk to sales →

Built by engineers from Rio

Plays with

Why Authaz

Auth wasn't designed for what you're shipping.

AI-native products launch multi-tenant on day one, with agents calling APIs on behalf of users and feature surface that compounds weekly. The auth tools you'd reach for were built for a different decade.

— 01

Multi-tenant from day one

Your product launched with workspaces, not single-user mode. Most auth tools bolt tenancy on as a paid tier — Authaz makes organizations and members first-class primitives.

— 02

Agents and services are first-class identities

Your product makes calls on behalf of humans — through models, agents, automations, and backend services. Mainstream IAM has no clean answer for 'which agent (or service) acted as which user, with what scope?' Authaz models humans, agents, and machines under one identity primitive — with mTLS, M2M tokens, and scoped delegation built in.

— 03

Authorization compounds with you

Every feature ships another scope, another role, another conditional. Roll your own and it ossifies; pick the wrong vendor and it follows you forever. RBAC, ReBAC, and org-scoped policy as managed primitives.

— 04

Speed is the moat

AI-era startups win by shipping faster than incumbents can react. Auth shouldn't be the thing slowing your release train — drop in the SDK, log in, ship the next feature.

Built for

Teams building the next generation of SaaS.

If your product has humans logging in, agents calling APIs on their behalf, or services authenticating each other with mTLS or M2M tokens — Authaz is the auth platform you don't have to fight.

AI SaaS & agent platforms

Agent identities, scoped tokens for LLM calls, per-action audit — for products where 'who did what, on whose behalf' is the hard question.

API platforms & machine workloads

Service-to-service traffic, mTLS-pinned clients, and scoped M2M tokens — modeled the same way as human sessions, with the same per-tenant policy and audit trail.

Modern multi-tenant SaaS

Workspaces, member roles, and customer-managed SSO — modeled correctly out of the box, without bolting tenancy on later.

Vibe-coded startups

AI-built codebases shipping weekly. Drop in the SDK, ship login, focus on the part of the product only you can build.

B2B platforms graduating into enterprise

When the first big customer asks for SAML, SCIM, audit, and step-up, you already have it. No replatforming, no add-on bill.

Use cases

Patterns you'll find familiar.

AI SaaS

Agent identities, per-call scoped tokens, and a clean audit trail for every action a model takes on a user's behalf.

Multi-workspace products

Users belong to multiple organizations. Switching workspaces switches roles, tokens, and policy — automatically.

Machine-to-machine APIs

Backend services, partner integrations, and scheduled jobs — authenticated with mTLS or scoped M2M tokens, audited at the same fidelity as user actions.

Marketplaces

Buyers, sellers, and platform operators on three sides of the same identity model — without separate auth stacks.

Authentication

Every way to authenticate. Human, agent, or machine.

Password, passkey, magic link, OAuth, SAML, MFA, M2M tokens, mTLS-pinned clients, and agent identities — one API, one audit trail, one place to configure. Whoever (or whatever) is calling, you get the same primitives.

METHODS · LAST 24H

Authorization

Authorization belongs in the platform.

Most auth vendors stop at login. Authaz keeps going — RBAC, ReBAC, per-tenant policy, and a decision log that treats users, agents, and services as first-class subjects. The same rule decides whether a human, an agent, or a backend service can act. No custom middleware, no homegrown role tables.

policy.zslive

policy "doc:edit" {
allow if subject.role == "admin"
allow if subject.id == resource.owner
allow if resource.shared_with.has(subject.id)
deny if resource.archived
}

policy "billing:*" {
allow if subject.role in ["admin", "billing"]
}

decisions · livestreaming

p99 1.4ms

allow

doc:edit

usr_val@acme.com

just now

allow

doc:read

agent:codex

1s ago

deny

billing:pay

usr_rod@acme.com

2s ago

allow

org:invite

usr_sam@acme.com

4s ago

allow

doc:share

usr_lee@acme.com

6s ago

deny

admin:kick

usr_new@acme.com

9s ago

Multi-tenant model

How identity actually maps in B2B SaaS.

Tenant isolation isn't a flag in your token — it's how every layer thinks about access. Tokens, policy, and audit all carry organization context by default.

Tenant: Acme

Members

val@acme.comrod@acme.com+ 240

Roles

adminbillingmember

Resources

docsbillingaudit

Tenant: Globex

Members

lee@globex.iosam@globex.io+ 1.2k

Roles

ownersupportviewer

Resources

projectsbillingaudit

JWT · org=acme · roles=[admin]

policy.zs · org-scoped

One identity model. Every token, policy, and audit row carries org context — no app-side bookkeeping.

How it works

Inside the auth path.

Every request lands at a regional edge, picks up tenant context from the resolver, runs through policy, and writes an audit row — all under fifty milliseconds.

Multi-tenant request flowp99 < 50ms

01 · Edge

TLS terminates at the closest region. Request gets a trace id.

02 · Resolver

Tenant detected from domain or token. Org context attached.

03 · Policy

RBAC, ReBAC, and step-up rules evaluated. Decision logged.

04 · Audit

Action, subject, resource, decision — written immutably.

Common flows

1email entered
2IdP routed
3MFA verified
4JWT issuedok

Org switch

1select org
2scope refreshed
3new token
4policy reloadedok

Invite member

1admin sends
2email delivered
3invite accepted
4role assignedok

Configuration

Ship your whole auth stack from one file.

Define providers, MFA, sessions, signup, and branding in version-controlled YAML. authaz apply diffs your file against the live tenant and applies the change — from local dev to staging to prod, no clicking around a dashboard.

$curl -sSL install.authaz.io | sh·macOS · Linux · Windows

authaz.yamlsynced

apiVersion: authaz/v1
kind: Application
metadata:
  name: acme
  etag: "5f3a2b1c"
spec:
  authentication:
    providers:
      emailPassword:
        enabled: true
        minLength: 12
        rejectBreached: true
        lockout: { maxAttempts: 5, durationMinutes: 15 }
      magicLink:
        enabled: true
        codeType: numeric
        codeLength: 6
        codeExpiryMinutes: 15
      oauth:
        - provider: google
          scopes: [openid, profile, email]
    mfa:
      mode: required
      allowedMethods: [totp, webauthn]
      primaryMethod: totp
      gracePeriodDays: 7
      requireForAdmins: true
    session:
      timeoutMinutes: 480
      idleTimeoutMinutes: 30
      maxConcurrentSessions: 5
  branding:
    preset: professional

terminal · authaz applyexit 0 · 1.4s

$ authaz apply --file authaz.yaml

  + spec.authentication.providers.magicLink: enabled
  ~ spec.authentication.mfa.mode: optional → required
  + spec.authentication.mfa.allowedMethods: [totp, webauthn]
  + spec.authentication.mfa.requireForAdmins: true
  ~ spec.authentication.session.timeoutMinutes: 720 → 480
  + spec.authentication.providers.oauth[google]: enabled
  ~ spec.branding.preset: indigo → professional

7 change(s)
Apply these changes? y

✓ Updated application acme
ETag: 9c4e1a8b…
7 change(s) applied.

authaz validate — schema + range checksauthaz apply --dry-run — preview the diffauthaz export — round-trip the live tenantETag-protected · optimistic concurrency

Developer experience

API-firstREST APISDKsWebhooksTerraform (soon)

Verify a session in five lines.

SDKs for the languages you ship in. Same primitives, same shape, same docs. No ten-call dance to get a user id.

import{ authaz } from "@authaz/server"; export async function GET(req: Request) { const session = await authaz.sessions .verify(req.headers.get("authorization")); if (!session) return new Response("", { status: 401 }); return Response.json({ user: session.subject, org: session.org, roles: session.roles, }); }

response · 200 ok37ms

{ "user": { "id": "usr_01HZX7...", "email": "val@acme.com", "verified": true }, "org": { "id": "org_acme", "slug": "acme", "plan": "enterprise" }, "roles": ["admin", "billing"] }

Webhooks & events

Wire your stack to identity, not the other way around.

Subscribe once. Replay on demand. Every identity change in your tenant fires a typed event you can route to Slack, your CRM, or your own services.

events

user.created

New user provisioned, with method, IP, and IdP context.

organization.invited

Invite issued — token, role, and the inviter on the same payload.

mfa.enabled

MFA factor activated for a user. Useful for compliance dashboards.

session.revoked

Session ended programmatically — by admin, by policy, or by user.

policy.denied

An authorization decision returned deny. Stream straight to your SIEM.

POST /your-webhook · signed (HMAC-SHA256)200 OK

{ "id": "evt_01HZX9...", "type": "organization.invited", "created_at": 1746518400, "data": { "org_id": "org_acme", "email": "sam@acme.com", "role": "admin", "invited_by": "usr_val@acme.com", "valid": true } }

Idempotency keys, exponential retries, replay window of 30 days.

Local development

Build against real auth, locally.

Sandbox tenants come pre-seeded with users, orgs, and roles. Local callbacks work out of the box — no ngrok choreography to log in.

Sandbox tenants

Spin up isolated tenants with seed data. Reset to zero in one CLI call.

Local callbacks

http://localhost is allowed in dev tenants. No reverse-proxy hacks.

Test environments

Pre-staging, staging, and prod tenants share the same schema and SDK shape.

terminal · ~/dev

$ authaz tenants create --seed dev
$ authaz dev --port 3000 --tenant my-dev
→ Login URL: http://localhost:3000/auth/callback

Audit & compliance

Every action logged. Nothing to build.

Sessions, challenges, policy decisions, admin actions — immutable, filterable, exportable. Your SIEM, your S3, your choice.

2.4MEvents · today

99.987%Ingest success

42msp99 ingest latency

184Blocked · last 1h

timeeventactor · contextresult

17:42:11.204USER.AUTHENTICATEDval@acme.comPasskey · iPhone 15 · São Paulo, BR · 200.144.x.xok

17:42:09.819MFA.CHALLENGEDval@acme.comTOTP via Authenticator · 1.4s responseok

17:42:04.331PASSWORD.FAILEDrisk · mediumrod@acme.com3rd attempt · Chrome on Windows · Lagos, NG · new devicefail

17:41:58.002POLICY.DENIEDrod@acme.combilling:pay · subject.role ∉ ['admin','billing']deny

17:41:44.556PASSKEY.REGISTEREDadmin@acme.comTouch ID · MacBook Pro · synced via iCloud Keychainok

17:41:31.100AGENT.TOKEN_ISSUEDsvc:codexscope: doc:read,doc:write · ttl 3600s · client_id ag_01HZ…ok

17:41:18.722OAUTH.LINKEDval@acme.comGoogle Workspace · acme.com · refresh_token rotatedok

17:41:12.784SESSION.REVOKEDsam@acme.comManual revoke by admin@acme.com · 4 devices invalidatedok

17:41:02.119EMAIL.VERIFIEDnew@acme.comMagic-link · clicked 11s after send · same IP as requestok

17:40:59.003PASSWORD.CHANGEDlee@acme.comSelf-service · entropy 78 bits · breached-password check passedok

17:40:47.501ACCOUNT.LOCKEDrisk · highbot@acme.com20 failed attempts in 60s · auto-lock 15m · ASN AS14061deny

17:40:33.207USER.SIGNED_OUTkim@acme.comIdle timeout · last active 30m agook

White-label

Make it yours.

Custom domain, custom branding, buyer-provided IdPs — every login page feels like part of your customer's product, not a vendor stopover.

Hosted login · pick a brand

centered

🔒 https://login.sunny.com/sign-in

Welcome back

you@sunny.com

Password

••••••••••••

Sunny — The friendliest way to manage your day.

Custom domain

CNAME to your subdomain. SSL and renewals handled.

Buyer IdPs

Microsoft Entra, Google Workspace, SAML or OIDC.

Custom logo

Brand colors

Match primary and accent across all auth UI.

Email templates

Customizable verification, welcome, and reset.

Hosted login

Branded universal login page with your domain.

Built for B2B SaaS

The wedge most identity platforms miss.

B2B SaaS lives or dies on three things: organizations, member access, and tenant-scoped permissions. Authaz is built around them — not around them as paid add-ons.

No tenant sprawl

Org and member state in one place. No shadow tables, no Notion source of truth.

No enterprise add-on maze

SAML, SCIM, audit, step-up — same SDK, same tier, day one.

No fragmented org management

Invites, roles, and customer-managed SSO sit on a single primitive.

No rebuilding authorization

RBAC, ReBAC, and per-tenant policy are managed and audited — not scattered through your codebase.

Enterprise readiness

Everything enterprise asks for. Shipped, not roadmapped.

The features your largest customers ask about — SAML, SCIM, audit, FGA, multi-region — built into the same SDK as your first user's signup.

SAML SSO

IdP- and SP-initiated. Per-tenant. Test mode included.

SCIM provisioning

Users and groups sync from Okta, Entra, JumpCloud — without webhooks.

Audit logs

Immutable, filterable, exportable to your SIEM or S3.

Fine-grained authorization

RBAC, ReBAC, and org-scoped policy in one engine.

Organization isolation

Tenant boundaries enforced at token, policy, and audit layers.

Multi-factor auth

TOTP, passkeys, and hardware keys. Per-tenant policy.

Step-up auth

Re-verify identity before privileged actions and high-risk flows.

Session controls

Revoke per device, agent, or IP. Cap concurrent sessions per role.

Custom domains

Bring your own email

Send verification through SES, Postmark, or your provider — keep your sender reputation.

Multi-region

Active-active across regions, automatic failover, sub-50ms decision latency.

Webhooks & events

user.created, organization.invited, mfa.enabled — wire your own automations.

Security & compliance

Security review becomes a checklist, not a project.

Authaz is engineered for SOC 2 and your largest customer's vendor security questionnaire. Encryption, isolation, and rotation aren't add-ons — they're defaults.

Encryption at rest & in transit

AES-256-GCM at rest. TLS 1.2+ for everything in flight.

JWE / JWS tokens

Encrypted payloads where claims are sensitive. Signed everywhere.

Tenant isolation

Logical and cryptographic. Per-tenant keys for sensitive payloads.

Automated key rotation

Token signing keys rotate on schedule. No manual ops.

24/7 monitoring

Anomaly detection on auth flows. Alerts for credential stuffing, replay, and exfiltration.

Per-tenant rate limiting

One noisy tenant can't degrade your other customers.

View security overview →

Reliability

Sign-in keeps working — even when AWS doesn't.

Active-active across regions. Automatic failover. The auth path is the last thing in your stack you want flapping.

active-active

Multi-region by default

auto failover

Region loss is invisible to your users

99.99%

Target uptime SLA

per-tenant

Replication & rate limits, isolated by customer

View status →

Migration

Already on Auth0, Cognito, or homegrown auth?

Most teams that move to Authaz come from one of three places. We have a path for each — and engineers who've done the migration before.

← Auth0

Migrating from Auth0

Drop the enterprise add-on bill. Bring users, tenants, and rules across without forcing a re-login.

← Cognito

Migrating from Cognito

Replace the configuration maze with one declarative model — same MAU, less ops.

← Custom auth

Replacing custom auth

Hand off password, sessions, and audit. Keep your business logic. Get enterprise primitives in days.

Pricing

Predictable from your first user to your ten-thousandth tenant.

MAU-based pricing. Security included on every tier. No paywalled SAML.

Pro

$25

per month

Scale with the enterprise features built in.

Up to 50k MAU
SAML SSO + multi-tenant
7-day audit retention

Business

One identity control plane for B2B SaaS.

Authaz is being built as the enterprise readiness infrastructure for B2B software — customer, workforce, and machine identity under a single model. Same primitives. Same audit. One contract.

Customer IAM

Your end users and organizations

Signup, login, customer-managed SSO, per-tenant authorization. The B2B SaaS surface, today.

Workforce IAM

Your team and internal tools

Admin dashboards, support consoles, engineering tooling. Same identity backbone as your customer-facing product.

Machine & workload identity

Agents, services, scoped credentials

M2M tokens, agent identities, service accounts. Audited at the same fidelity as user actions — without a separate stack.

Most teams run three identity stacks: one for customers, one for employees, one for services. Authaz collapses them into one — same model, same SDK, same audit.

Changelog

View all →

Apr 15 2026

Agent-scoped sessions

Scoped tokens and audit trails for AI agents.

Apr 09 2026

Device-bound passkeys

Require hardware keys for admin-tagged actions.

Apr 02 2026

Tenant-aware audit export

Per-tenant streams to S3, Datadog, or your SIEM.

Mar 26 2026

One-click SAML IdP setup

Self-serve flow for buyer-provided IdPs.

Proof

Teams shipping auth, instead of building it.

"I had SSO, passkeys, and MFA live by Sunday afternoon. I was building a product, not an auth system."

Indie founder

B2B SaaS

"The first auth vendor whose docs matched what the SDK actually does. That alone saved us a sprint."

Staff engineer

Dev-tools company

"A Fortune 500 asked for SAML and SOC 2-ready audit on the same call. We said yes. Shipped in three days."

CTO

Series B SaaS

< 50ms

Auth decision, p99 globally

11+

Auth methods, one API

SOC 2

Type II, on the roadmap

by the numbers

< 50ms

auth decision, p99 globally

11+

auth methods, one API

multi-region

active-active, survives a full AWS region failure

When an entire AWS region goes down, your sign-in flow keeps working. Active-active across regions — from your first user to your ten-thousandth tenant, no rewrites along the way.

Stop building auth from scratch.
Ship the AI-era part of your product.

Drop in the SDK. Authenticate users, scope agents, sign service-to-service calls with mTLS or M2M tokens — audit every action. Get back to building the part of the product only you can build.

No spam, ever.

Early access

Launch benefits

Priority support

Startup program — launch pricing for qualified teamsWaitlist open — early-access rollouts weekly

Auth for the AI era.Humans, agents, and machines.

Auth wasn't designed for what you're shipping.

Teams building the next generation of SaaS.

Patterns you'll find familiar.

Every way to authenticate. Human, agent, or machine.

Authorization belongs in the platform.

How identity actually maps in B2B SaaS.

Inside the auth path.

Ship your whole auth stack from one file.

Verify a session in five lines.

Wire your stack to identity, not the other way around.

Build against real auth, locally.

Every action logged. Nothing to build.

Make it yours.

The wedge most identity platforms miss.

Everything enterprise asks for. Shipped, not roadmapped.

Security review becomes a checklist, not a project.

Sign-in keeps working — even when AWS doesn't.

Already on Auth0, Cognito, or homegrown auth?

Predictable from your first user to your ten-thousandth tenant.

One identity control plane for B2B SaaS.

Changelog

Teams shipping auth, instead of building it.

Stop building auth from scratch.Ship the AI-era part of your product.

Auth for the AI era.
Humans, agents, and machines.

Stop building auth from scratch.
Ship the AI-era part of your product.