Heimdall docs

Heimdall.

Authentication and authorisation for multi-tenant products.

This documentation covers everything you need to integrate Heimdall into your application — from first API call to production deployment.

Browse

What you’ll find here

Quickstart

Go from zero to a working auth integration in under ten minutes. Create an App, issue tokens, and verify permissions.
Read more

Core concepts

Understand Apps, Users, Roles, Permissions, and Tokens. Learn how Heimdall models multi-tenancy and access control.
Read more

API reference

Complete endpoint documentation with request and response examples for every resource in the Heimdall API.
Read more

Guides

Step-by-step walkthroughs for common patterns: SaaS onboarding, service-to-service auth, invite flows, and more.
Read more

Node.js SDK

Install @productcraft/heimdall for typed sign-in, OAuth (Apple), JWT verification with a built-in JWKS cache, and Passport integration.
Read more

Reference

Base URL

https://heimdall.productcraft.co/api/v1

All endpoints are relative to this base URL. Requests must include an Authorization header with a valid bearer token unless otherwise noted.

Reference

Authentication

Heimdall issues two types of tokens:

  • User tokens (JWT) for authenticating users. Issued on signup or signin, verified locally via JWKS or through the introspection endpoint.
  • M2M tokens (JWT) for service-to-service authentication. Issued via client credentials exchange, scoped to specific permissions.
Start with the quickstart