Multi-tenant identity platform

Modern auth for SaaS multi-tenant, without losing operational control.

Azirid API centralizes authentication, authorization, and identity management on a clear architecture: customer → workspace → app → environment → users. All exposed via REST API /v1.

Start building View API endpoints

For CTOs, founders, and backend teams that don't want to rebuild auth on every release.

azirid-api — /v1

Customer Authsignup / login / refresh

App Authpasskeys / magic / social

SecurityJWKS / RBAC / step-up

Operationaudit / webhooks / DLQ

Built withNestJSPrismaWebAuthn / FIDO2JWT + JWKSOpenAPI 3.1Rate LimitingOutbox PatternAudit Logs

Current problem vs solution

Less identity debt, more focus on your product

Problem

Fragmented auth across multiple services without tenant context.

With Azirid

Native model customer → workspace → app → environment → users with real isolation by default.

Problem

Slow onboarding due to scattered login, session, and recovery flows.

With Azirid

Customer Auth + App Auth + magic links + social + passkeys + reset + verify in a single API /v1.

Problem

Operational risk from lack of traceability and fine-grained controls.

With Azirid

Audit logs, global rate limiting, step-up auth, automatic redaction, and end-to-end request-id.

17 integrated modules

Complete identity coverage in a single platform

From authentication to observability, every module operates within Azirid's multi-tenant model.

Authentication

Customer Auth

Signup, login, refresh, bootstrap, logout

App Auth

End-users per app and tenant

Passkeys / WebAuthn

Biometric authentication FIDO2

Magic Links & Social

Social login, magic links, password reset, verify email

Authorization & sessions

Sessions

List, revoke, revoke-others

RBAC + Step-up

Roles, permissions, and extra verification for sensitive ops

Identity Admin

Advanced administrative identity management

Infrastructure

Workspaces

Logical isolation per organization

Apps + Tenants

Multi-app, multi-tenant with environments

JWKS

Public keys for external JWT verification

API Keys

Create, list, rotate, revoke per app + environment

Operations

Rate Limiting

Global API surface protection

Audit Logs

Traceability of administrative and access actions

Webhooks + Outbox

Consistent events, retries, and DLQ

Crypto Services

Hashing and TOTP

Database / Prisma

Data layer with migrations

Observability

Request-id, structured logging, redaction

Authentication flows

Customer auth and app auth with clear contracts

Two separate authentication levels: one for platform administrators and another for end-users of each app.

Customer Auth

Platform administrator authentication

POST/v1/customers/signup

POST/v1/customers/login

POST/v1/customers/refresh

GET /v1/customers/bootstrap

POST/v1/customers/logout

App Auth

End-user authentication per app/tenant

POST/v1/apps/:appId/auth/login

POST/v1/apps/:appId/auth/passkeys/register

POST/v1/apps/:appId/auth/magic-links/send

GET /v1/apps/:appId/sessions

POST/v1/apps/:appId/sessions/revoke-others

Security & compliance

Defensive design for real operations

Every security layer operates within the multi-tenant model without additional configuration.

JWT + JWKS

Signed tokens with key publication via standard endpoint. Verification without coupling.

Global Rate Limiting

Multi-tenant API surface protection with configurable limits per environment.

Step-up Auth

Additional verification for sensitive operations and high-risk changes.

Audit Logs

Complete traceability of administrative and access actions at the identity level.

Automatic Redaction

Sensitive data masked in structured logs. No accidental leaks.

Passkeys / FIDO2

Passwordless authentication with WebAuthn standard. Phishing-resistant.

Multi-tenant architecture

Clear isolation by workspace, app, and environment

Each customer manages multiple workspaces. Each workspace contains multiple apps. Each app separates development and production for users, sessions, API keys, and access rules.

Workspace isolationEnvironment separationTenant-scoped sessionsPer-env API keys

customer: acme-corp
workspace: platform-core
app: billing-portal
env: development
→ users, sessions, api-keys
env: production
→ users, sessions, api-keys

API-first DX

Consistent contracts, fast onboarding

RESTful endpoints documented with OpenAPI 3.1. Integrate your product with Azirid in hours.

Hierarchical architecture

customer
  └─ workspace
      └─ app
          └─ environment (dev | prod)
              └─ users, sessions, api-keys

API Keys per environment

POST /v1/apps/{appId}/environments/{env}/api-keys
GET  /v1/apps/{appId}/environments/{env}/api-keys
POST .../api-keys/{keyId}/rotate
POST .../api-keys/{keyId}/revoke

JWKS endpoint

GET /v1/.well-known/jwks.json

→ { "keys": [{ "kty": "RSA", "use": "sig", ... }] }

Connect your product to Azirid in hours, not weeks.

Documented API, consistent endpoints, and multi-tenant model ready for production.

Start building

Webhooks and automations

The outbox pattern guarantees transactional consistency of events. Webhooks integrate external systems. Automatic retries and DLQ isolate delivery failures to avoid blocking critical business operations.

Outbox patternAutomatic retriesDead Letter QueueDelivery tracking

Admin panel / Identity Admin

Identity Admin centralizes advanced management of customers, members, tenants, sessions, and access controls. Designed for support and security teams that need complete operational visibility with audit traceability.

Member managementSession controlAccess policiesAudit trail

Use cases

Designed for products with real identity complexity

B2B multi-workspace SaaS

Each customer operates their workspace with their own apps and policies, without mixing identities or data between organizations.

Marketplace with isolated tenants

Isolates users per app/tenant and maintains sessions, roles, and auditing per business context.

B2C product with enterprise operations

Scales social login and passkeys while maintaining security controls, observability, and centralized administration.

Pricing

Plans by product stage, without blocking growth

Final pricing in definition based on volume, support, and compliance requirements.

Starter

To validate your product with customer/app auth and base authentication flows.

Customer & App Auth
Magic links
Sessions
Base rate limiting

More info

Growth

Scale multi-tenant with RBAC, webhooks, API keys, and complete observability.

Everything in Starter
RBAC + Step-up auth
Webhooks + Outbox
API keys per environment
Audit logs

Start building

Enterprise

Advanced controls, dedicated support, and specific security requirements.

Everything in Growth
Full Identity Admin
Custom SLA
Additional compliance
Dedicated support

More info

Technical FAQ

Frequently asked questions before integrating

How does Azirid separate development and production?

Each app defines explicit environments (development | production). API keys, sessions, and controls operate per environment to avoid contamination between testing and production.

Can I verify JWT outside of Azirid?

Yes. Azirid publishes a standard JWKS endpoint so other services can validate tokens without coupling to the identity backend.

What does Identity Admin cover?

Advanced administrative management of identities, sessions, members, apps, tenants, and operational policies with complete audit traceability.

How does it handle event delivery?

With the outbox pattern for transactional consistency, webhooks for external system integration, and retry + DLQ mechanisms for transient or permanent failures.

Does it include session security?

Yes. It includes list, revoke, and revoke-others, granular RBAC controls, and step-up auth for actions requiring additional verification.

Is it compatible with passwordless?

Yes. It supports passkeys (WebAuthn/FIDO2) and magic links as passwordless authentication methods, combinable with traditional flows.

Launch multi-tenant identity with an API designed for product.

17 modules, hierarchical architecture, operational security. One API, one contract.

Start building