The Identity Control Plane

One identity.
Every access point.
One place to manage it all.

Your team uses AWS, GCP, Azure. Your app has roles and permissions. Your services need protection. Today that's 6+ systems. AuthFI makes it one.

The problem with today's access stack

Without AuthFI — 6+ systems

  • Auth0 / Cognito for app login
  • AWS IAM for cloud access
  • GCP IAM for another cloud
  • Azure AD for a third cloud
  • Istio / service mesh for services
  • Security groups / Calico for network
  • 6 audit trails to reconcile
  • Offboard someone → check all 6

With AuthFI — one system

  • App login + SSO + MFA
  • AWS + GCP + Azure + OCI access
  • Service protection (eBPF)
  • Network-level access control
  • One audit trail for everything
  • Offboard → disable one user → done
  • One policy engine, four enforcement points
  • One dashboard for compliance

Four layers of access control

One role definition controls what a user can do everywhere — in your app, in the cloud, at the service level, and on the network.

📱 App Access

App Access

Who can do what in your app?

SDK middleware checks JWT permissions on every API call. Roles, permissions, groups — all in the token.

Enforced by: SDK middleware
☁️ AuthFI Connect

AuthFI Connect

Who can access which cloud?

Map AuthFI roles to AWS/GCP/Azure/OCI IAM roles. Users get temp credentials or console signin.

Enforced by: OIDC federation
🔌 Service Access

Service Access

Who can call which API?

eBPF intercepts HTTP at the kernel. Validates JWT, checks role, enforces MFA per route.

Enforced by: eBPF (kernel)
🔒 Network Access

Network Access

What can connect to what?

eBPF controls TCP connections. Only authorized services can reach databases, caches, queues.

Enforced by: eBPF (kernel)
🔄 ROLE CHANGE one action
💻 APP SDK updates
☁️ CLOUD IAM re-mapped
SERVICE eBPF re-enforced
🔒 NETWORK TCP rules updated
📋 AUDIT change logged

How it works: one request, four checks

Alice is a doctor. She opens the hospital app. Four access checks happen — all driven by her single AuthFI role. She sees nothing.

// Alice clicks "View Patient Record" in the hospital app
APP LAYER SDK middleware checks JWT
auth.require('read:patients')
Alice has role "doctor" → includes read:patientsALLOW ✓
SERVICE LAYER eBPF intercepts HTTP to patient-api:8080
GET /api/patients/123
JWT role "doctor" matches policy rule → ALLOW ✓
SERVICE LAYER eBPF intercepts HTTP to imaging-api:8081
GET /api/images/xr-456
JWT role "doctor" matches policy rule → ALLOW ✓
CLOUD LAYER imaging-api needs X-ray from GCP Storage
AuthFI maps "doctor" → GCP roles/storage.objectViewer
Issues OIDC token → exchanges for GCP access_token → ALLOW ✓
4 checks. 1 role. 0 code changes. Alice saw a patient record.

One audit trail

Every access decision across all four layers in one timeline. One export for auditors.

AuthFI Audit Log — Alice Chen — 2026-03-22
10:30:01 LOGIN alice@acme.com   MFA:TOTP   IP:10.0.1.50
10:30:05 APP read:patients   Hospital App
10:30:05 SERVICE patient-api:8080 GET /api/patients/123 [eBPF 45μs]
10:30:06 SERVICE imaging-api:8081 GET /api/images/xr-456 [eBPF 38μs]
10:30:06 CLOUD GCP imaging-prod objectViewer token issued
10:30:07 NETWORK imaging-api → postgres:5432 [eBPF L4]
10:31:00 SERVICE billing-api:8082 POST /api/invoices ✗ DENIED — role "doctor" has no billing access

Revoke access everywhere. One action.

Admin disables Alice

PATCH /manage/v1/acme/users/alice
{ "is_active": false }

What happens

  • App: JWT rejected by SDK — immediate
  • Services: eBPF rejects JWT at kernel — immediate
  • Network: eBPF blocks connections — immediate
  • Cloud: Temp creds expire — < 1 hour
  • vs. today: check AWS + GCP + Azure + app + mesh + network = hours/days

One role. Four enforcement points.

Define a role once in AuthFI. It controls app access, cloud IAM, service policies, and network rules.

Role: doctor cloud: - AWS hospital-prod → MedicalRecordsRead - GCP imaging-prod → storage.objectViewer app: - read:patients - read:records - write:notes service: (eBPF) - patient-api:8080 GET /api/patients/* - patient-api:8080 POST /api/patients/*/notes (MFA) - imaging-api:8081 GET /api/images/* - billing-api:8082 ⊘ no access network: (eBPF) - postgres:5432 ✓ connect - redis:6379 ✓ connect - kafka:9092 ⊘ no access

No one else has all four

Cloud IAMApp RBACService (L7)Network (L4)
AuthFI
Auth0 / Oktapartial
Azure AD (Entra)Azure only
HashiCorp (Vault + Consul + Boundary)
Istio
Teleportpartial

To match AuthFI, you need 3-4 separate products + glue code + separate audit trails.

Explore each layer

App Layer

SDK middleware

Cloud Layer

OIDC federation

Service Layer

eBPF enforcement

Audit Layer

Unified trail

Available on Free and above. See pricing →

One platform. Every identity layer.
Free to start.

Free for 5,000 users. Upgrade when you're ready.

Start building free →

Startups and enterprises get 1 year free →