— 01
Orgs and teams
Multi-tenant from the first row. Every record is scoped to an org. No "tenant_id everywhere" refactor when you sign your first big customer.
The user table,
already shipped.
Orgs, members, roles, invites, and SCIM provisioning — every primitive your B2B product needs, ready before your first customer signs.
AUTHAZ · IDENTITY · 2026VERIFIED
VM
Val Marshuser_01HZX9VM
EMAIL
val@acme.com
TENANT
acme
TEAM
engineering
SOURCE
scim · okta
JOINED
2024-08-12
MFA
totp · webauthn
ROLES · 4
owneradminbilling-admindeveloper
MEMBERSHIP · LIVE FEED17:42
↻17:42:11kim@acme.com joinedvia okta scim
+17:41:08invited oliver@acme.combilling
~17:38:42rod: developer → adminby val
↻17:31:00attribute sync14 users
−17:24:55former@acme.com deactivatedscim drift
+16:12:30team platform created8 members
MAU
142
CHANGES · 24H
38
SCIM DRIFT
0
Primitives
Built for B2B from day one. No retrofitting required.
Most apps start single-tenant and pay later. Authaz starts with the shape your enterprise customers will ask for — orgs, teams, and roles, scoped down to API calls.
— 02
Roles and permissions
RBAC out of the box, with custom roles and permissions. Decisions in <2ms p99, audited automatically.
— 03
Invites and onboarding
Email invites, accept flows, and welcome screens — branded for each tenant, hosted by us.
What's inside
Everything your B2B model expects.
— 01
Org-scoped roles, with custom permissions.
Use the built-in roles or define your own. Permissions resolve at the API layer in under 2ms — same call, every endpoint.
- owner · admin · developer · billing-admin · guest
- custom roles per org
- permission inheritance across teams
OW
owner
AD
admin
DV
developer
BL
billing-admin
GU
guest
— 02
Invites that look like part of your product.
Magic-link invites with your logo, your domain, your copy. Users land in their org — not a vendor login page.
- CNAME to your domain
- custom email templates
- auto-join on verified domains
A
You're invited to Acme
Val Marsh added you to Acme · Engineering as a developer. Accept the invite to get set up.
Accept invite →
— 03
SCIM 2.0 — push members from any IdP.
Okta, Azure AD, Google Workspace, JumpCloud, Rippling. New hire on Monday is a member by Tuesday. Departure flows revoke everywhere.
- user provisioning + de-provisioning
- group → role mapping
- attribute sync to your app
scim · okta workforce● 17:42:11 sync
+kim@acme.com
+oliver@acme.com
~rod@acme.com
−former@acme.com
3 added · 1 changed · 1 removedauto-applied
API
Five lines from create org to first member.
Same shape across orgs, members, roles, invites. No three-call dance to add someone to a team.
POST /v1/orgs/:id/members200 · 41ms
await authaz.orgs.addMember("org_acme", {
email: "kim@acme.com",
role: "developer",
team: "engineering",
invite: true,
});
Spec
The fine print, up front.
Org primitives
orgs · members · teams · roles · invites · domains
Provisioning
SCIM 2.0 · push from Okta, Azure AD, Workspace, Rippling, JumpCloud
Custom roles
unlimited per org · per-resource permission grants
Invites
email · magic link · domain auto-join · expiring tokens
Decision latency
p50 0.8ms · p99 1.4ms · global edgeAudit
every membership change logged · exportable to S3, Datadog, your SIEM
Pricing model
per monthly active user · no charge for guests
Pairs with
One platform. Every primitive.
Every Authaz product shares the same primitives — sessions, policies, audit, tenants. Pick what you need today; add the rest when you do.
01 · ORGANIZATION MANAGEMENT
Organization Management
Manage members, access, and tenant-level settings.
Read more →
02 · AUTHENTICATION FLOWS
Authentication Flows
Password, magic code/link, and social login out of the box.
Read more →
03 · RBAC & PERMISSIONS
RBAC & Permissions
Role-based access controls for customer and admin surfaces.
Read more →
Get started
Skip the user table. Ship the product.
Multi-tenant orgs, roles, invites, SCIM — production-ready in an afternoon.