authaz policy-eval --trace

$ authaz policy-eval \
    --actor=user_8f1c \
    --org=org_acme \
    --action=billing.invoices.read \
    --trace

[trace] resolve_identity ........... OK
[trace] resolve_org_context ........ OK org=org_acme
[trace] load_role ................. tenant_admin
[trace] evaluate_policy ........... MATCH rule=billing.read
[trace] scope_check ............... SCOPED boundary=tenant_only
[trace] emit_audit_event .......... OK

DECISION: ALLOW (2.1ms)
request_id=req_a7c3f9e1

Permissions as code.

Every decision traced. Every scope enforced. Every change audited.

Free up to 2,000 MAU

Role x Resource Matrix

Role	Member Ops	Billing	Security Policy	Platform Controls
support	READ	DENY	DENY	DENY
tenant_admin	ALLOW	SCOPED	DENY	DENY
security_admin	SCOPED	DENY	ALLOW	DENY
platform_admin	ALLOW	SCOPED	ALLOW	ALLOW

Authorization Engine

Powered by Z*

Fine-grained permissions with sub-millisecond latency. RBAC, ABAC, and policy-based access control for modern applications.

< 0ms

Average decision latency

0M+

Policy evaluations/sec

0.99%

Uptime SLA

Edge

Global deployment

Built for real-world authorization

Multi-tenant SaaS

Isolate customer data with tenant-aware policies. Each organization sees only their resources.

Role hierarchies

Complex RBAC with inheritance. Admins inherit editor permissions automatically.

Feature flags

Permission-based feature access. Gate features by plan, role, or custom attributes.

API authorization

Protect endpoints with fine-grained rules. Scope API keys to specific resources.

check-permission.ts

// Check a permission
const result = await authaz.rbac.check({
  actor: "user_8f1c",
  org:   "org_acme",
  action: "billing.invoices.read",
});

if (!result.allowed) throw new Forbidden();

// result.trace available in dev mode
// result.scope = "tenant_only"
// result.latency = "2.1ms"

assign-role.ts

// Assign a role to a user
await authaz.rbac.assignRole({
  userId: "user_8f1c",
  orgId:  "org_acme",
  role:   "tenant_admin",
});

// List effective permissions
const perms = await authaz.rbac.listPermissions({
  userId: "user_8f1c",
  orgId:  "org_acme",
});
// => ["members.read", "billing.read", ...]

Declarative policy definitions

Define roles with inheritance in YAML. Deploy policies without code changes. Hot-reload without restarts.

SDKs for Node, Go, Python, and Rust

Type-safe policy definitions

Hot-reload policies without restart

Built-in testing and debugging tools

policy.yaml

# Define roles with inheritance
roles:
  admin:
    inherits: [editor]
    permissions:
      - documents:delete
      - users:manage

  editor:
    inherits: [viewer]
    permissions:
      - documents:edit
      - documents:create

  viewer:
    permissions:
      - documents:read

Every decision requires actor + org + action context.

API and dashboard checks run the same policy engine.

Permission changes are recorded with actor and reason.

Tenant isolation is enforced at evaluation, not just UI.

authorization that ships

Stop writing permission spaghetti.

Define roles. Enforce scopes. Trace every decision. Free up to 2,000 MAU.