SSO login complete β SAML for val@acme.com
{
"iss": "acme.authaz.com",
"sub": "usr_01HZX7...",
"aud": "acme-web",
"org": "org_acme",
"roles": ["admin","billing"],
"amr": ["saml","mfa"],
"exp": 1773292800
}A new species of auth platform. Purpose-built for teams shipping to enterprise buyers, with identity, authorization, and audit on the same timeline.
Launch SSO without a SAML project.
One config screen. Production SSO in minutes. Pass the enterprise IT checklist on the first try.
Pass security review out of the box.
Immutable audit trail, SOC 2 artifacts, tenant-scoped access β shipped, not wired up after the fact.
Scale from one tenant to ten thousand.
Multi-tenant-first schema. Organization-aware RBAC. No migration cliffs when your biggest customer lands.
Every way to authenticate, on day one.
Password, passkey, magic code, OAuth, SAML, MFA, M2M keys, and agent identities β one API, one audit trail, one place to configure.
Authorize the thing your lawyer asked about.
Fine-grained, tenant-aware policies written as code and enforced everywhere β with a decision log you can actually read.
policy "doc:edit" {
allow if subject.role == "admin"
allow if subject.id == resource.owner
allow if resource.shared_with.has(subject.id)
deny if resource.archived
}
policy "billing:*" {
allow if subject.role in ["admin", "billing"]
}Verify a session in five lines.
SDKs for the languages you ship in. Same primitives, same shape, same docs. No ten-call dance to get a user id.
import { authaz } from "@authaz/server";
export async function GET(req: Request) {
const session = await authaz.sessions
.verify(req.headers.get("authorization"));
if (!session) return new Response("", { status: 401 });
return Response.json({
user: session.subject,
org: session.org,
roles: session.roles,
});
}{
"user": {
"id": "usr_01HZX7...",
"email": "val@acme.com",
"verified": true
},
"org": {
"id": "org_acme",
"slug": "acme",
"plan": "enterprise"
},
"roles": ["admin", "billing"]
}Ship with the audit trail security asks for.
Every session, challenge, policy decision, and admin action β immutable, filterable, exportable to your SIEM.
Make it yours
Custom domain, custom branding, buyer-provided IdPs β every login page feels like part of your customer's product, not a vendor stopover.
Login Β· Your brand
Welcome back
Sign in to your account
Powered by Authaz
Custom Domain
CNAME to your subdomain. SSL and renewals handled for you.
Buyer IdPs
Plug in Microsoft Entra, Google Workspace, SAML or OIDC β whatever your buyer brings.
Custom Logo
Upload your brand logo for login pages, emails, and consent screens.
Brand Colors
Match your primary and accent colors across all auth UI.
Email Templates
Fully customizable verification, welcome, and reset emails.
Hosted Login
Branded universal login page with your domain and styles.
Changelog
View all β"We shipped SSO for our top three enterprise deals in a week. The IT checklists stopped being the bottleneck."
"Authaz is the first auth vendor whose docs matched what the SDK actually does. That alone saved us a sprint."
"We passed our SOC 2 audit without writing a single custom audit-log line. Every question had an Authaz export for it."
Built for the next ten thousand tenants. From the first signup to the enterprise renewal.