The foundation of

authorization is

trust

Authly gives developers a scalable foundation for authentication, role-based access control, and tenant management.

01 / THE CHALLENGE

Authenticating multi-tenant SaaS is hard

Enforcing tenant scopes, verifying signatures, and managing 15-minute token lifespans leaves rooms for security holes.

01

Multi-tenant Pollution

Without strict boundaries, single database instances risk cross-tenant leaks. Authly enforces tenant separation at the header level.

02

Short-lived Token Gaps

Handling token expiration securely requires seamless silent refreshes. Authly sets secure, httpOnly cookies automatically.

03

Verification Overhead

Calling authentication databases on every API request increases latency. Authly solves this using lightweight JWT verification.

02 / THE SOLUTION

Unified Tenant Identification

Identify your application tenant securely on user routes using public-key headers. Allow the same user email to exist safely across isolated applications.

  • Explicit header-based tenant verification using x-public-key.
  • Short-lived access tokens (15 mins) combined with httpOnly refresh cookies.
  • Full support for both JWT and Session-based applications.
tenant_verification.sh

# Authenticating user under specific tenant app...

$ curl -X POST http://localhost:3000/api/auth/login \

-H "x-public-key: pk_58c21a94e..." \

-H "Content-Type: application/json" \

-d '{"email": "jane@acme.com", "password": "••••••••"}'

{

"status": "success",

"accessToken": "eyJhbGciOiJSUzI1NiIs..."

}

✓ User authenticated. Set userRefreshToken cookie.

03 / ARCHITECTURE

From admin registration to client login

01

Admin Onboarding

Register administrators via /register-admin and create isolated SaaS applications via /create-app.

02

Tenant Operations

Use application public keys in x-public-key headers to handle isolated registration and logins.

03

Continuous Refresh

Use secure cookies to perform silent refreshes, automatically resolving token expirations.

04 / INTEGRATION

Direct API integration

Use standard HTTP libraries to call Authly. Securely request current profiles with Bearer auth and identify tenants with custom public-key headers.

getUser.js
// Fetch current user details with tenant public-key headers
const response = await fetch("http://localhost:3000/api/auth/me", {
  method: "GET",
  headers: {
    "Authorization": `Bearer ${accessToken}`,
    "x-public-key": "pk_my_app_public_key"
  }
});

const data = await response.json();
if (data.status === "success") {
  console.log(`Logged in as ${data.user.email}`);
}
05 / CAPABILITIES

Hardened SaaS authentication features

Header Tenant Routing

Identifies and partitions user databases using shareable x-public-key headers.

15-minute Token Lifespan

Minimizes security exposure windows using short-lived cryptographically signed access tokens.

Cookie Silent Refresh

Automatically fetch new access tokens in background via secure, httpOnly userRefreshToken cookies.

Universal Logout Mechanism

Immediately clears token cookies, blacklists refresh tokens in Redis for 24h, and rejects active access tokens.

06 / JOIN US

Ready to integrate Authly?

Follow the api specifications. Plug in tenant authentication and build secure products with speed.