Auth infrastructure

Ship production auth
in a weekend, not a quarter.

One SDK. Every auth method. Works for your first user and your biggest enterprise deal.

SESSION.CREATEDsess_01HZX8Q3F9BV — 4.2s ago

tenant:acme

SSO login complete — SAML for val@acme.com

+0.00sSAML assertion received

+0.02sSignature verified (RS256)

+0.04sAttributes mapped → claims

+0.08sPolicy check: member:acme

+0.11sJWT issued, session persisted

jwt · header.payload

{
  "iss": "acme.authaz.com",
  "sub": "usr_01HZX7...",
  "aud": "acme-web",
  "org": "org_acme",
  "roles": ["admin","billing"],
  "amr": ["saml","mfa"],
  "exp": 1773292800
}

saml-2.0oktamfa:totpjwt:rs256audit:logged

Auth that gets out of your way. Login, permissions, and audit — built in, not bolted on. From your first commit to your first enterprise contract.

Production auth in hours, not sprints.

Drop in the SDK. Ship login. Add SSO, passkeys, and MFA when you need them. No SAML project. No sprint planning.

Security reviews already answered.

Audit trail, SOC 2-ready logs, tenant-scoped access — shipped with every integration. When enterprise IT asks, you already have the evidence.

Scales from one user to one million.

Multi-tenant by default. RBAC that grows with your product. No migration cliff when your biggest customer signs.

Every way to log in. From day one.

Password, passkey, magic link, OAuth, SAML, MFA, M2M keys, and agent identities — one API, one audit trail, one place to configure.

Auth MethodsLive

Social & Enterprise

Google OAuth

38,210

SAML SSO

21,890

Passwordless

Passkey

9,104

Magic code

4,560

Authenticator

6,332

Password & OTP

Password

12,840

SMS OTP

3,011

WhatsApp OTP

1,204

Machine

M2M / API keys

512k/day

Device code

287

Agent identitynew

new

acme.authaz.com / sign-in

Continue with SSO

Continue with Google

Continue with passkey

Email me a code

Detected IdP: okta

Methods

Passkeys

Enterprise SSO

MFA

Agent identity

Authorization in one file.

Write your rules as code. Enforce them everywhere. Read the decision log when something goes wrong — no custom middleware.

policy.zs● live

policy "doc:edit" {
  allow if subject.role == "admin"
  allow if subject.id == resource.owner
  allow if resource.shared_with.has(subject.id)
  deny  if resource.archived
}

policy "billing:*" {
  allow if subject.role in ["admin", "billing"]
}

decisions · livep99 1.4ms

allowdoc:editusr_val@acme.comjust now

allowdoc:readagent:codex1s ago

denybilling:payusr_rod@acme.com2s ago

alloworg:inviteusr_sam@acme.com4s ago

allowdoc:shareusr_lee@acme.com6s ago

denyadmin:kickusr_new@acme.com9s ago

Policy

Z* Policies

RBAC

Tenant scope

Decision log

Verify a session in five lines.

SDKs for the languages you ship in. Same primitives, same shape, same docs. No ten-call dance to get a user id.

app/api/me.ts

import { authaz } from "@authaz/server";

export async function GET(req: Request) {
  const session = await authaz.sessions
    .verify(req.headers.get("authorization"));

  if (!session) return new Response("", { status: 401 });

  return Response.json({
    user: session.subject,
    org:  session.org,
    roles: session.roles,
  });
}

response · 200 ok37ms

{
  "user": {
    "id": "usr_01HZX7...",
    "email": "val@acme.com",
    "verified": true
  },
  "org": {
    "id": "org_acme",
    "slug": "acme",
    "plan": "enterprise"
  },
  "roles": ["admin", "billing"]
}

tsgopythonrustelixir

Developer

TypeScript

Python

Rust

Every action logged. Nothing to build.

Sessions, challenges, policy decisions, admin actions — immutable, filterable, exportable. Your SIEM, your S3, your choice.

filtertenant:acmeevent:SESSION.*result:*● streaming

timeeventactortenantres

17:42:11.204SESSION.CREATEDval@acme.comacmeok

17:42:09.819MFA.CHALLENGEDval@acme.comacmeok

17:41:58.002POLICY.DENIEDrod@acme.comacmedeny

17:41:44.556IDP.CONNECTEDadmin@acme.comacmeok

17:41:31.100AGENT.TOKEN_ISSUEDsvc:codexacmeok

17:41:12.784SESSION.REVOKEDsam@acme.comacmeok

17:40:59.003PASSWORD.CHANGEDlee@acme.comacmeok

Audit

Immutable log

SIEM export

Tenant filter

SOC 2-ready logs

Make it yours

Custom domain, custom branding, buyer-provided IdPs — every login page feels like part of your customer's product, not a vendor stopover.

Welcome back

Email address

Password

Custom Domain

CNAME to your subdomain. SSL and renewals handled for you.

Buyer IdPs

Plug in Microsoft Entra, Google Workspace, SAML or OIDC — whatever your buyer brings.

Custom Logo

Upload your brand logo for login pages, emails, and consent screens.

Brand Colors

Match your primary and accent colors across all auth UI.

Email Templates

Fully customizable verification, welcome, and reset emails.

Hosted Login

Branded universal login page with your domain and styles.

Changelog

View all →

Apr 15 2026

Agent-scoped sessions

Scoped tokens and audit trails for AI agents.

Apr 09 2026

Device-bound passkeys

Require hardware keys for admin-tagged actions.

Apr 02 2026

Tenant-aware audit export

Per-tenant streams to S3, Datadog, or your SIEM.

Mar 26 2026

One-click SAML IdP setup

Self-serve flow for buyer-provided IdPs.

"I had SSO, passkeys, and MFA live by Sunday afternoon. I was building a product, not an auth system."

Indie founder

B2B SaaS

"Authaz is the first auth vendor whose docs matched what the SDK actually does. That alone saved us a sprint."

Staff engineer

Dev-tools company

"A Fortune 500 prospect asked for SAML SSO and a SOC 2-ready audit trail on the same call. We said yes to both. Shipped in three days."

CTO

Series B SaaS

by the numbers

< 50ms

auth decision, p99 globally

11+

auth methods, one API

SOC 2

type II, on the roadmap

From your first user to your ten-thousandth tenant. No rewrites along the way.

Stop building auth.
Start shipping your product.

Join developers who went from zero to production auth in a weekend.

No spam, ever.

Early access

Launch benefits

Priority support

Startup program — free for 12 months up to 100k MAUWaitlist open — early-access rollouts weekly

Ship production authin a weekend, not a quarter.