- Identity Boundaries: Dedicated Realms for Internal, Partner, and Customer populations.
- Federation Engine: Native support for OIDC, SAML, and OAuth providers (Okta, Google, GitHub).
- Multi-Credential Principals: Single identities supporting Passwords, SSO, and API Keys simultaneously.
- Verified XIDs: Multi-identifier tracking (Email, Phone, Username) with verification lifecycle.
- Realm-Level Policies: Independent MFA requirements, password strength, and registration flows per Realm.
- Session Diversity: Native tracking for Web, Mobile, CLI, and long-lived API sessions.
- Device Fingerprinting: Metadata tracking for OS version, browser engine, and trusted status.
- Geo-Intelligence: IP-based city/country tracking with VPN detection and risk scoring.
- Dual Expiration: Independent idle-timeout and absolute-timeout enforcement.
- Security Context: Real-time tracking of
auth_strength and MFA completion status.
- Action Code Syntax: Standardized character actions (
r, w, d, x, s, a, n, q, l, *). - Path-Based Tags: Hierarchical resource addressing with terminal and segment wildcards.
- Grants-First Engine: All permissions flow through Groups, eliminating individual user logic.
- DENY Overrides: Explicit DENY effect that overrides ALLOW at the same or higher specificity.
- Resource Constraints: IP-range, time-of-day, and day-of-week conditional access.
- Logical Isolation: Infinite Organization support with hard data/logic boundaries.
- Namespace Depth: Sub-tenant divisions (
ns_main) for environment and regional isolation. - Domain Mapping: Map Host/Paths to specific Orgs, Realms, and branding configurations.
- Data Residency: Region-specific routing for GDPR and other compliance frameworks.
- Dynamic Branding: Domain-level logo, color, and support email customization.
- Immutable Audit: Full-trace logging of authentication, resource access, and grant changes.
- Separation of Duties: Mutually exclusive role detection to prevent privilege conflicts.
- Review Lifecycle: Scheduled access reviews with mandatory
reviewed_by and risk flags. - Delegation Control: Controlled permission delegation with depth limits and expiration.
- Regulatory Mapping: Native constructs for SOC 2, ISO 27001, HIPAA, and GDPR.
- API-First Design: 100% of functionality exposed via RESTful endpoints.
- Idempotent Provisioning: Atomic "upsert" patterns for safe infrastructure-as-code deployments.
- Context Injection: Security context required for every service-layer transaction.
- Global Admin Flow: Dedicated "Crown" bootstrap for system-wide root administration.
- Scalable Storage: PostgreSQL and CockroachDB compatibility for global deployments.