Back to all products
    authaz policy-eval --trace
    $ authaz policy-eval \
    --actor=user_8f1c \
    --org=org_acme \
    --action=billing.invoices.read \
    --trace

[trace] resolve_identity ........... OK
[trace] resolve_org_context ........ OK org=org_acme
[trace] load_role ................. tenant_admin
[trace] evaluate_policy ........... MATCH rule=billing.read
[trace] scope_check ............... SCOPED boundary=tenant_only
[trace] emit_audit_event .......... OK

DECISION: ALLOW (2.1ms)
request_id=req_a7c3f9e1

    Permissions as code.

    Every decision traced. Every scope enforced. Every change audited.

    Free up to 2,000 MAU

    Role x Resource Matrix
    RoleMember OpsBillingSecurity PolicyPlatform Controls
    supportREADDENYDENYDENY
    tenant_adminALLOWSCOPEDDENYDENY
    security_adminSCOPEDDENYALLOWDENY
    platform_adminALLOWSCOPEDALLOWALLOW
    Authorization Engine

    Powered by Z*

    Fine-grained permissions with sub-millisecond latency. RBAC, ABAC, and policy-based access control for modern applications.

    < 0ms
    Average decision latency
    0M+
    Policy evaluations/sec
    0.99%
    Uptime SLA
    Edge
    Global deployment

    Built for real-world authorization

    Multi-tenant SaaS

    Isolate customer data with tenant-aware policies. Each organization sees only their resources.

    Role hierarchies

    Complex RBAC with inheritance. Admins inherit editor permissions automatically.

    Feature flags

    Permission-based feature access. Gate features by plan, role, or custom attributes.

    API authorization

    Protect endpoints with fine-grained rules. Scope API keys to specific resources.

    check-permission.ts
    // Check a permission
const result = await authaz.rbac.check({
  actor: "user_8f1c",
  org:   "org_acme",
  action: "billing.invoices.read",
});

if (!result.allowed) throw new Forbidden();

// result.trace available in dev mode
// result.scope = "tenant_only"
// result.latency = "2.1ms"
    assign-role.ts
    // Assign a role to a user
await authaz.rbac.assignRole({
  userId: "user_8f1c",
  orgId:  "org_acme",
  role:   "tenant_admin",
});

// List effective permissions
const perms = await authaz.rbac.listPermissions({
  userId: "user_8f1c",
  orgId:  "org_acme",
});
// => ["members.read", "billing.read", ...]

    Declarative policy definitions

    Define roles with inheritance in YAML. Deploy policies without code changes. Hot-reload without restarts.

    SDKs for Node, Go, Python, and Rust
    Type-safe policy definitions
    Hot-reload policies without restart
    Built-in testing and debugging tools
    policy.yaml
    # Define roles with inheritance
roles:
  admin:
    inherits: [editor]
    permissions:
      - documents:delete
      - users:manage

  editor:
    inherits: [viewer]
    permissions:
      - documents:edit
      - documents:create

  viewer:
    permissions:
      - documents:read

    Every decision requires actor + org + action context.

    API and dashboard checks run the same policy engine.

    Permission changes are recorded with actor and reason.

    Tenant isolation is enforced at evaluation, not just UI.

    authorization that ships

    Stop writing permission spaghetti.

    Define roles. Enforce scopes. Trace every decision. Free up to 2,000 MAU.