Authorization models
RBAC where it fits. ReBAC where it scales. One engine for both.
RBAC
Roles and permissions per organization. Map cleanly to product UI and procurement requirements.
ReBAC
Relationships drive access — owner, member, shared-with — without modeling every edge case as a role.
Org-scoped policy
Every check carries tenant context by default. No cross-org leakage from a misplaced where clause.
Step-up enforcement
Require re-verification before privileged actions. Tied to policy, not bolted on as middleware.
Primitives
Decisions in milliseconds. Audit in real time.
p99 decision latency under 5ms
Authorization checks colocated with auth. Sub-50ms globally, sub-5ms regionally.
Decision log
Every allow / deny is logged with subject, action, resource, and rule. Stream to your SIEM.
Policy as code
Declarative rules you can version, review, and migrate. No bespoke runtime hacks.
Test in CI
Run policy unit tests against fixtures. Catch regressions before they hit production.
Why now
Most auth platforms stop at login.
Authorization is the part of identity that compounds with your product complexity. Roles, scopes, and per-tenant rules end up scattered through middleware, conditional checks, and Notion docs. Authaz pulls them back into the platform — managed, audited, and the same in dev and prod.