Permissions managed.
Not hard-coded.
Organize users into groups. Assign roles with fine-grained permissions. Sync directories from Entra ID, Okta, or Google Workspace via SCIM.
Available on Free and above. See pricing
Your identity console
Users, groups, roles -- all managed from one place.
| User | Groups | Roles | Source |
|---|---|---|---|
Alice Chen alice@acme.com | Engineering | admin | SCIM |
Bob Smith bob@acme.com | DevOps | developer | SCIM |
Carol Lee carol@acme.com | Finance | viewer | Manual |
The identity hierarchy
Users
People who access your app. Created via signup, SSO, SCIM, or API.
Groups
Collections of users. Synced from Entra ID or managed manually.
Roles
Named sets of permissions. Assigned to users or groups.
Permissions
Granular actions like read:patients, write:notes.
User: Dr. Alice Chen |-- Direct role: "viewer" -> [read:dashboard] | |-- Group: "doctors" | \-- Role: "physician" -> [read:patients, write:notes] | \-- Group: "oncology-dept" \-- Role: "specialist" -> [read:imaging, order:labs] Effective permissions (union): [read:dashboard, read:patients, write:notes, read:imaging, order:labs]
SCIM sync -- real-time directory
User created in Entra ID? Appears in AuthFI in seconds. Deactivated? Sessions revoked immediately.
Entra ID
SCIM 2.0 provisioning. Users, groups, membership in real-time.
Okta
Push users and groups. Deprovisioning blocks access instantly.
Google Workspace
Org units map to groups. Automatic provisioning.
RBAC that flows everywhere
App layer (SDK)
Permission checks in code. auth.require("read:patients") returns 403 if unauthorized.
auth.require("read:patients")Infra layer (eBPF)
Kernel-level enforcement. JWT roles checked at the packet level. ~45us latency.
POST /api/patients/* roles: [doctor]
Cloud layer (IAM)
Groups map to cloud IAM roles. group:devops -> GCP roles/editor.
group:devops -> roles/editor
Ready to get started?
Free for 5,000 monthly active users. No credit card required.