Authr
Platform

One fabric for every identity decision

Authentication, authorization, provisioning, and audit — designed as one system, because your attackers treat them as one system.

Token inspectorsignature valid · EdDSA
eyJhbGciOiJFZERTQSIsImtpZCI6ImF1XzIwMjZfcTMi.eyJzdWIiOiJ1c3JfOGZ2M2siLCJvcmciOiJvcmdfbWVyaWRpYW4iLCJyb2xlcyI6WyJhZG1pbiJd.Zx2vKq81QmVYh3nD…
{
"sub": "usr_8fv3k",
"org": "org_meridian",
"roles": ["admin"],
"amr": ["passkey"],
"exp": 1783020600
}
Universal SSO

Every IdP your buyers run. One integration on your side.

SAML, OIDC, and the on-prem directories that never made it to a slide deck. Your customers' IT teams onboard themselves through a guided portal — your engineers never see another metadata XML.

  • Self-serve connection portal, white-labeled to your product
  • Automatic attribute mapping with drift detection
  • IdP-initiated and SP-initiated flows, per-connection policy
New connection · Meridian Bankself-serve for your customer's IT team
Choose provider
Exchange metadata
3Map attributes
4Test & go live
Attribute mapping
user.emailNameID (email)auto-detected
user.groupsmemberOfauto-detected
user.employee_idurn:oid:2.16.840…auto-detected
Directory Sync

The org chart is alive. Stay synchronized with it.

SCIM 2.0 provisioning built for six-figure directories: joiners productive in their first hour, leavers locked out before their badge stops working.

  • Real-time provisioning, deprovisioning, and group mapping
  • Conflict reconciliation for the org charts that lie
  • Instant session revocation on offboarding events
Directory sync · northcell.net112,406 users in sync
Joiners today
214
provisioned in <60s
Movers today
89
roles re-derived
Leavers today
47
sessions revoked instantly
09:41:22PATCH/scim/v2/Users/na84hdept: Fixed Income → Treasury
09:41:19POST/scim/v2/Usersj.osei@northcell.net
09:41:16DELETE/scim/v2/Users/mm201offboarded · 3 sessions killed
Adaptive MFA

Challenge the 5% that matter. Never the other 95.

Passkeys as the default, risk signals as the gatekeeper. Device posture, network reputation, travel feasibility, and behavioral baselines decide when to step up — your users mostly never notice us.

  • Passkeys, TOTP, hardware keys, and push — per-policy
  • Risk engine tuned on billions of authentications
  • Step-up hooks for your most sensitive in-app actions
Step-up policy · productionchallenge rate: 5.4% of logins
New device + payroll scopeRequire passkey1.2%
Impossible travelBlock + notify SOC0.01%
Known device, low-risk scopeNo challenge94.6%
Session age > 12h on adminRe-verify4.2%
Fine-Grained Authorization

Who can do what — as code, not tribal knowledge.

Relationship-based access control with a declarative policy language, versioned deploys, reviewers, and a playground. Answered at the edge in single-digit milliseconds.

  • Roles, relationships, and resource-level permissions
  • Policy versioning with approvals and instant rollback
  • Batch checks and list-filtering APIs for your UI
policy/finance.authrdeployed 4m ago · v218
model finance {
  type report {
    relation owner: user
    relation team: group
    permission export = owner | team.lead | org.controller
  }
}

# playground
? can l.brandt export report:q3-forecast
✓ ALLOW — via team.lead (treasury) · evaluated in 4ms
Session Intelligence

See every session. End any of them. Right now.

A living map of every human and machine session across your product — with device posture, anomaly flags, and revocation that propagates globally in under a second.

  • Org-wide session search with sub-second revocation
  • Device fingerprinting and posture signals
  • Anomaly detection wired to your SOC's pager
Active sessions · org_meridianRevoke all ⌘⇧R
r.alvarez
d.kim
svc-billing
a.novak
Audit Fabric

When the auditor asks, the answer is a query.

Every identity event, hash-chained and immutable, queryable for seven years, streaming to your SIEM in real time. Evidence, not archaeology.

  • Cryptographically verifiable event chain
  • Native exporters: Splunk, Datadog, S3, Snowflake
  • Per-event actor, IP, device, and policy context
Audit fabric
actor:priya@…event:policy.*Export → Splunk
evt_9f2k1policy.version.deployedpriya@authr-demo.comv218
evt_9f2k0policy.check.deniedsvc-externalreport:q3 · missing team.lead
evt_9f2j9policy.draft.approvedd.okafor@authr-demo.com2 reviewers
chain verified · sha256:8c1e…a94f · 61,204,118 events · zero gaps
Authr for AI Agents

Your newest users aren't human. Govern them anyway.

Scoped, expiring, fully-attributed credentials for AI agents acting on behalf of your users — with hard ceilings, human escalation, and an audit trail that answers 'who let the agent do that?'

  • Delegated grants bound to a human principal
  • Scope and spend ceilings enforced at the token layer
  • Automatic escalation when an agent leaves its lane
Agent grant · procurement-copilotnon-human identity
Acting forl.brandt@meridian.com
Scopesinvoices:read · po:draft
Expiry15 minutes, sliding
Spend ceiling$2,500 / task
Every act, attributed
agent.task.started on behalf of l.brandt
invoices.read ×34
po.approve — outside grant, escalated to human

Running in production at

MERIDIAN
halcyonhealth
northcell
Vantage
POLARIS
COPPERLINE
Ardent®
bluepeak
Ostrava
FERROSTATE
MERIDIAN
halcyonhealth
northcell
Vantage
POLARIS
COPPERLINE
Ardent®
bluepeak
Ostrava
FERROSTATE

See the whole fabric, on your own stack

Bring your architecture diagram. Our identity architects will map every box on it to a migration plan — on the first call.

Enterprise only · No self-serve tier · Typical procurement to production: 6 weeks