Live

Heimdall

Multi-tenant auth without the sprint.

Heimdall is the auth layer for products that need tenancy on day one. Users, roles, machine-to-machine tokens, and audit logs, all behind one REST API. Tokens are scoped and signed per app, so the isolation between tenants is a property of the token, not a policy check.

Most auth stacks split in half: consumer widgets that crack once you need tenancy, or enterprise IdPs that take a quarter to wire up. Heimdall sits in the middle. Opinionated enough to ship in an afternoon. Flexible enough to run thousands of tenants without a rewrite.

No SDK, no dashboard-driven config. Every operation is an HTTP call with a JSON body. If your stack can POST, it can use Heimdall. And every ProductCraft product runs on it — we eat our own tenancy model.

Read the docs Open in console

Capabilities

Core features

Everything you need to add production-grade auth to a multi-tenant application. Nothing you don’t.

Machine-to-machine tokens

Issue scoped JWT tokens for service-to-service communication. Define which resources a token can access, set expiration policies, and revoke tokens instantly. No user session required.

Multi-tenancy with Apps

Every API call is scoped to a tenant (called an App in Heimdall). Data is isolated by default. Your customers never see each other’s users, roles, or permissions.

Role-based access control

Create roles, attach permissions, and assign them to users. Enforce access at the API level with a single guard. Permissions follow a resource.action format and are fully customisable per App.

User management

Create, update, suspend, and delete users through the API. Each user belongs to one or more Apps and inherits the roles assigned to them within that App context.

Invite flows

Generate invite links with configurable expiration and usage limits. Invitees are added to the target App with a predefined role. One API call to create, one to accept.

Audit logging

Every authentication event, permission change, role assignment, and admin action is recorded with a timestamp, actor, and context. Query the audit log through a dedicated API endpoint.

Integration

How it works

A typical integration takes three steps: create an App for your tenant, issue tokens for your users or services, and check permissions on each request.

Create an App (tenant)

Register a new tenant in Heimdall. This creates an isolated namespace with roles and permissions provisioned automatically.

POST /v1/apps

{
  "slug": "acme-corp",
  "displayName": "Acme Corporation"
}

Issue a token

Authenticate a user or service and receive a signed JWT. Users sign in with email and password or social login. Services exchange client credentials.

POST /v1/oauth/token

{
  "clientId": "m2m_a1b2c3d4...",
  "clientSecret": "base64url-secret"
}

Check permissions

Verify the token and check whether the caller has the required permission. One call, no database lookup needed.

POST /v1/authorize

{
  "token": "eyJhbGciOiJSUzI1NiIs...",
  "permission": "user.read"
}

→ { "allowed": true, "role": "admin" }

Under the hood

Technical details

Here is what matters for your integration.

REST-first design

Every operation is a standard HTTP call. No SDKs required. Use curl, fetch, or any HTTP client in any language. OpenAPI spec included.

JWT-based authentication

Tokens follow the JWT standard with RS256 signing. Verify tokens locally using the public JWKS endpoint, or use the introspection API to check permissions in real time.

Tenant-scoped data isolation

Every query is automatically filtered by tenant. Heimdall enforces isolation so Apps never see each other’s data. You never need to write tenant-filtering logic in your own queries.

LLM-friendly surface

Consistent naming, predictable response shapes, and thorough error messages. AI coding assistants can integrate Heimdall endpoints without guesswork.

Horizontal scaling

Stateless request handling. Deploy multiple instances behind a load balancer. Token verification works offline using cached JWKS keys.

Use cases

Built for these workloads

SaaS with team workspaces

Each customer gets their own App. Users within that App have roles like admin, editor, or viewer. Heimdall handles the boundaries so you can focus on features.

Internal tools with service accounts

Issue M2M tokens for your cron jobs, CI pipelines, or internal services. Scope them to specific permissions and rotate them on a schedule.

Marketplaces and platforms

Sellers, buyers, and admins each operate within their own permission model. Heimdall keeps the access rules clean without custom middleware in every route.

AI agent backends

Agents that call your API need scoped credentials. Issue short-lived tokens with narrow permissions so agents can act on behalf of users without broad access.

Skip the auth sprint

The quickstart goes from zero to a signed token in under ten minutes. Create an App, issue a token, verify it against the JWKS endpoint — all with copy-paste curl.

Start the quickstart Open in console