The Identity Control Plane

Your brand. Your login.
Your users' entire access — one place.

White-label login that looks like yours. A portal where users see every app, cloud, server, and database they can access. One identity. Everywhere.

Get started free See how it works

Free for 5,000 users · No credit card · Live in 5 minutes

Your branded login
login.acme.com
A
Acme Corp
Sign in to your account
Email
alice@acme.com|
Continue
or
Continue with Google
Continue with Microsoft
Your brand. Your domain. Zero AuthFI fingerprints.
What your users see after login
portal.authfi.app
AuthFI
AuthFI
My Access
AJ
Applications SSO
DB
Dashboard
AP
Admin Panel
Grafana
Jira
Gmail
GitHub
Confluence
GitLab
Private Apps Agent
IW
Internal Wiki
wiki.internal
JC
Jenkins CI
ci.internal
PG
Postgres Admin
pgadmin.internal
LE
Legacy ERP
erp.internal
Cloud Consoles Connect
AWS Production
PowerUserAccess
Open Console
Google Cloud
Editor
Open Console
Azure
Contributor
Open Console
Servers PAM
prod-api-01
Ubuntu 22.04 · sudo
prod-api-02
RHEL 9 · read-only
staging-01
Ubuntu 22.04 · sudo
db-primary
Postgres 16 · SELECT
Sound familiar?

The identity mess. And how AuthFI fixes it.

R
Raj, DevOps Lead
IT / DevOps

"Every time someone joins, I spend 30 minutes in 6 dashboards."

AWS IAM, GCP console, Okta, SSH key generation, VPN setup, Slack permissions. Each system has its own user directory. Nothing syncs automatically.

AuthFI

Add to one AuthFI group. All 10 layers — app, 4 clouds, servers, database, network, mesh — update in 2 seconds. Zero manual setup.

S
Sarah, Security Engineer
Security

"A contractor still had GCP admin access 3 weeks after leaving."

HR disabled their Okta account. But someone forgot to revoke GCP access. SSH keys were still on 12 servers. They downloaded customer data from S3 two days after leaving.

AuthFI

One revoke in AuthFI. Locked out of app, all 4 clouds, all servers, all databases, entire network. 2 seconds. Audit trail proves exact revocation time.

J
James, VP Sales
Sales

"We lost a $200K deal because we couldn't do SAML in time."

Enterprise customer required SAML SSO. Auth0 charges $150/connection. Engineering said 2 months to build. Competitor closed the deal while we were still scoping.

AuthFI

Enable SAML from the AuthFI dashboard. Configure in 10 minutes. Domain routing auto-detects the IdP. $59/mo, not $150/connection. Deal closes this week.

Where we sit in your stack

Auth, SSO, cloud, servers, network.
One identity — all the way down.

Other platforms handle login and stop. AuthFI does SSO with group sync, SCIM directory from Okta/Entra/Google, federates into 4 clouds, enforces at the kernel with eBPF, and encrypts your mesh with WireGuard. Same token everywhere.

7
L7 Application
AuthFI SDKsOAuth2 / OIDCWhite-label LoginPAM (SSH)SCIM SyncLDAP BridgeConnect SSODB Auth
6
L6 Presentation
AuthFI JWT Signing (RS256)SAML ParsingOIDC Token ExchangeToken Encryption
5
L5 Session
AuthFI Session ManagementMFA FlowsToken RotationOAuth2 Code FlowConsent
4
L4 Transport
AuthFI eBPF Agent ~45μsJWT at KernelAPI DiscoveryRate Limiting
3
L3 Network
AuthFI WireGuard MeshEncrypted TunnelsIP PoliciesPrivate Access
2
L2 Data Link
Not AuthFI — your hardware
1
L1 Physical
Not AuthFI — your hardware
Terraform IaC L3–L7
AI / NL Policies L3–L7
Observability L3–L7
See how authentication works →
Features

AuthFI Features

AuthFI Core

Authentication, SSO, RBAC, white-label, SDKs, Terraform.

6 auth methods
7 SDKs + REST API
SAML + OIDC + LDAP
Roles & permissions
White-label branding
Terraform provider
Learn more →
manage.authfi.app
Login Experience
login.acme.com
A
Sign in to Acme Corp
Email
alice@acme.com
Continue
or
Google
Microsoft
MFA · Passkeys · Magic Links · SAML · OIDC
AuthFI Desktop Coming soon

Install. Login once. Every site works.

AuthFI Mobile Coming soon

Enterprise private apps on Android & iOS.

AuthFI CLI Coming soon

Manage identity from the terminal.

How it works

One group.
Everything changes.

Define a group once. It controls app access, cloud IAM, server SSH, database connections, network policies, and encrypted mesh — simultaneously.

Alice leaves? Remove from group → locked out of apps, all clouds, all servers, all databases, all network access. 2 seconds.

AuthFI Console
manage.authfi.app
IDENTITY
Users
Groups
Organizations
ACCESS
Applications
Roles
Policies
SECURE
eBPF Access
Cloud Access
Groups / Engineering
E
Engineering
Security group · 42 members
Active
Members (42)
A
Alice Johnson alice@acme.com
Lead
B
Bob Chen bob@acme.com
Senior
C
Carol Davis carol@acme.com
Mid
D
David Kim david@acme.com
Junior
+ 38 more
Assigned Roles (5)
app:developer
read:userswrite:codedeploy:staging
cloud:power-user
aws:PowerUsergcp:Editorazure:Contrib
server:ssh-sudo
ssh:prod-*sudo:restartlogs:read
db:read-write
pg:SELECTpg:INSERTpg:UPDATE
mesh:full-access
wg:stagingwg:proddns:*.internal
App Access (4)
Dashboard SPA
Grafana SAML
GitLab OIDC
Jira SAML
AuthFI Connect (3)
AWS Production PowerUserAccess
GCP Analytics roles/editor
Azure Enterprise Contributor
Server Access — PAM (3)
prod-api-01 Ubuntu 22.04 sudo
prod-api-02 RHEL 9 read-only
staging-01 Ubuntu 22.04 sudo
Private Apps — Agent (2)
wiki.internal Agent Mesh
ci.internal Agent Mesh
Change this group → all 17 resources update in 2s
Add Member Save Changes
Developer experience

Three lines of code. Eight languages.

Permissions auto-sync. Workload identity gives your app cloud credentials without static keys.

const auth = authfi({ tenant: 'acme' });

// Protect routes — permissions auto-sync
app.get('/api/users', auth.require('read:users'), handler);

// Workload identity — cloud creds, no keys
const creds = await auth.cloud('aws');
auth.start();
AuthFI Connect

One login for AWS, GCP, Azure, and OCI.

Click "Open Console" — land inside the right cloud, already authenticated, scoped to your role. Temp credentials. Zero static keys.

Learn more →
AuthFI Connect alice · admin
AWS Production
PowerUserAccess
Open Console →
GCP Analytics
roles/editor
Open Console →
Azure Enterprise
Contributor
Open Console →
OCI Production
ComputeAdmin
Open Console →
AI Agent Auth Protocol

AI agents are identities.
Not API keys.

Your AI agents get their own AuthFI identity via MCP. Scoped permissions, rate limits, and human-in-the-loop approval.

Learn more → MCP docs →
AI Agent Identity
patient-assistant
Owner: dr.smith@hospital.com
Permissions read:patients, write:notes
Denied delete:*, admin:*
Rate limit 100 req/min
Human approval DELETE requires approval
NL Policies

Write access rules
in plain English.

Describe what you want in natural language. AuthFI generates structured policies and enforces them across all layers — app, cloud, server, network.

Learn more →
You write
"Only doctors can access patient records. Nurses can read but not edit. Admin needs MFA for any delete operation."
AuthFI generates
role: doctor
  allow: [read:patients, write:patients, write:notes]

role: nurse
  allow: [read:patients, read:notes]
  deny:  [write:patients]

role: admin
  allow: [delete:*]
  require_mfa: true
✓ Enforced across: App · Cloud · Server · eBPF · Database

How much are you spending on identity?

Enter your monthly costs. See what you'd save with AuthFI.

Savings Calculator

Toggle tools you use. Adjust costs.

Auth0 / Clerk
$ /mo
Okta / Entra ID
$ /mo
Cloud IAM ops
$ /mo
Istio / Envoy
$ /mo
Tailscale / VPN
$ /mo
Datadog / Splunk
$ /mo
Teleport / SSH
$ /mo
Today
$8,600
per month
AuthFI Business
$999
per month
You save
88%
$7,601/mo

$91,212 saved per year

Start saving →
Get AuthFI free for 1 year →

Startups and enterprises qualify. No credit card.

Reliability

Global Infrastructure

4 data regions. 300+ edge locations. Your data stays where you put it. Auth never goes down.

Global Infrastructure
Cloudflare Workers · GCP · Hetzner
🇺🇸 US
us-central1
Ashburn, Virginia
AuthFI Edge (New Jersey)
Operational 12ms
🇪🇺 EU
europe-west1
Falkenstein, Germany
Operational 18ms
🇮🇳 IN
asia-south1
AuthFI Edge (Cuttack, Odisha)
Operational 8ms
🇦🇺 AU Soon
australia-southeast1
Coming soon
How a request flows
👤
User
CF Edge
300+ locations
CF Worker
Routes to region
Backend
Nearest region
Data
Stays in region
99.99% SLA·Auto failover·eBPF <45μs·Zero-downtime
Need a different region? Enterprise — any cloud, any region.

Get started with AuthFI

Free for 5,000 users. No credit card required. Deploy in 5 minutes.

Get started free Contact sales