The foundation of
authorization is
Authly gives developers a scalable foundation for authentication, role-based access control, and tenant management.
Authenticating multi-tenant SaaS is hard
Enforcing tenant scopes, verifying signatures, and managing 15-minute token lifespans leaves rooms for security holes.
Multi-tenant Pollution
Without strict boundaries, single database instances risk cross-tenant leaks. Authly enforces tenant separation at the header level.
Short-lived Token Gaps
Handling token expiration securely requires seamless silent refreshes. Authly sets secure, httpOnly cookies automatically.
Verification Overhead
Calling authentication databases on every API request increases latency. Authly solves this using lightweight JWT verification.
Unified Tenant Identification
Identify your application tenant securely on user routes using public-key headers. Allow the same user email to exist safely across isolated applications.
- Explicit header-based tenant verification using
x-public-key. - Short-lived access tokens (15 mins) combined with httpOnly refresh cookies.
- Full support for both JWT and Session-based applications.
# Authenticating user under specific tenant app...
$ curl -X POST http://localhost:3000/api/auth/login \
-H "x-public-key: pk_58c21a94e..." \
-H "Content-Type: application/json" \
-d '{"email": "jane@acme.com", "password": "••••••••"}'
{
"status": "success",
"accessToken": "eyJhbGciOiJSUzI1NiIs..."
}
✓ User authenticated. Set userRefreshToken cookie.
From admin registration to client login
Admin Onboarding
Register administrators via /register-admin and create isolated SaaS applications via /create-app.
Tenant Operations
Use application public keys in x-public-key headers to handle isolated registration and logins.
Continuous Refresh
Use secure cookies to perform silent refreshes, automatically resolving token expirations.
Direct API integration
Use standard HTTP libraries to call Authly. Securely request current profiles with Bearer auth and identify tenants with custom public-key headers.
// Fetch current user details with tenant public-key headers
const response = await fetch("http://localhost:3000/api/auth/me", {
method: "GET",
headers: {
"Authorization": `Bearer ${accessToken}`,
"x-public-key": "pk_my_app_public_key"
}
});
const data = await response.json();
if (data.status === "success") {
console.log(`Logged in as ${data.user.email}`);
}Hardened SaaS authentication features
Header Tenant Routing
Identifies and partitions user databases using shareable x-public-key headers.
15-minute Token Lifespan
Minimizes security exposure windows using short-lived cryptographically signed access tokens.
Cookie Silent Refresh
Automatically fetch new access tokens in background via secure, httpOnly userRefreshToken cookies.
Universal Logout Mechanism
Immediately clears token cookies, blacklists refresh tokens in Redis for 24h, and rejects active access tokens.
Ready to integrate Authly?
Follow the api specifications. Plug in tenant authentication and build secure products with speed.