Documentation

Heimdall

Authentication and authorization for multi-tenant products. This documentation covers everything you need to integrate Heimdall into your application, from first API call to production deployment.

Quickstart

Go from zero to a working auth integration in under ten minutes. Create an App, issue tokens, and verify permissions.

Read more →

Core Concepts

Understand Apps, Users, Roles, Permissions, and Tokens. Learn how Heimdall models multi-tenancy and access control.

Read more →

API Reference

Complete endpoint documentation with request and response examples for every resource in the Heimdall API.

Read more →

Guides

Step-by-step walkthroughs for common patterns: SaaS onboarding, service-to-service auth, invite flows, and more.

Read more →

Base URL

https://heimdall.productcraft.co/api/v1

All endpoints are relative to this base URL. Requests must include an Authorization header with a valid bearer token unless otherwise noted.

Authentication

Heimdall issues two types of tokens:

  • User tokens (JWT) for authenticating users. Issued on signup or signin, verified locally via JWKS or through the introspection endpoint.
  • M2M tokens (JWT) for service-to-service authentication. Issued via client credentials exchange, scoped to specific permissions.
Start with the quickstart