Heimdall
Auth for multi-tenant products
Heimdall is an authentication and authorization service built for teams shipping multi-tenant products. It handles machine-to-machine tokens, tenant isolation, role-based access control, user management, and audit logging through a single REST API.
Most auth solutions fall into two camps: consumer-grade login widgets that break down once you need tenancy, or enterprise identity platforms that take weeks to configure. Heimdall sits between the two. It is opinionated enough to get you running in an afternoon and flexible enough to grow into a production system serving thousands of tenants.
There are no SDKs to install. No admin dashboards to click through. Every operation is an HTTP call with a JSON payload. If your stack can make a POST request, it can use Heimdall.
Core features
Everything you need to add production-grade auth to a multi-tenant application. Nothing you don't.
Machine-to-machine tokens
Issue scoped JWT tokens for service-to-service communication. Define which resources a token can access, set expiration policies, and revoke tokens instantly. No user session required.
Multi-tenancy with Apps
Every API call is scoped to a tenant (called an App in Heimdall). Data is isolated by default. Your customers never see each other's users, roles, or permissions.
Role-based access control
Create roles, attach permissions, and assign them to users. Enforce access at the API level with a single guard. Permissions follow a resource.action format and are fully customizable per App.
User management
Create, update, suspend, and delete users through the API. Each user belongs to one or more Apps and inherits the roles assigned to them within that App context.
Invite flows
Generate invite links with configurable expiration and usage limits. Invitees are added to the target App with a predefined role. One API call to create, one to accept.
Audit logging
Every authentication event, permission change, role assignment, and admin action is recorded with a timestamp, actor, and context. Query the audit log through a dedicated API endpoint.
How it works
A typical integration takes three steps: create an App for your tenant, issue tokens for your users or services, and check permissions on each request. Here is what that looks like.
Step 1
Create an App (tenant)
Register a new tenant in Heimdall. This creates an isolated namespace with roles and permissions provisioned automatically.
POST /v1/apps
{
"slug": "acme-corp",
"displayName": "Acme Corporation"
}Step 2
Issue a token
Authenticate a user or service and receive a signed JWT. Users sign in with email and password or social login. Services exchange client credentials.
POST /v1/oauth/token
{
"clientId": "m2m_a1b2c3d4...",
"clientSecret": "base64url-secret"
}Step 3
Check permissions
Verify the token and check whether the caller has the required permission. One call, no database lookup needed.
POST /v1/authorize
{
"token": "eyJhbGciOiJSUzI1NiIs...",
"permission": "user.read"
}
→ { "allowed": true, "role": "admin" }Technical details
Here is what matters for your integration.
REST-first design
Every operation is a standard HTTP call. No SDKs required. Use curl, fetch, or any HTTP client in any language. OpenAPI spec included.
JWT-based authentication
Tokens follow the JWT standard with RS256 signing. Verify tokens locally using the public JWKS endpoint, or use the introspection API to check permissions in real time.
Tenant-scoped data isolation
Every query is automatically filtered by tenant. Heimdall enforces isolation so Apps never see each other's data. You never need to write tenant-filtering logic in your own queries.
LLM-friendly surface
Consistent naming, predictable response shapes, and thorough error messages. AI coding assistants can integrate Heimdall endpoints without guesswork.
Horizontal scaling
Stateless request handling. Deploy multiple instances behind a load balancer. Token verification works offline using cached JWKS keys.
Built for these use cases
SaaS with team workspaces
Each customer gets their own App. Users within that App have roles like admin, editor, or viewer. Heimdall handles the boundaries so you can focus on features.
Internal tools with service accounts
Issue M2M tokens for your cron jobs, CI pipelines, or internal services. Scope them to specific permissions and rotate them on a schedule.
Marketplaces and platforms
Sellers, buyers, and admins each operate within their own permission model. Heimdall keeps the access rules clean without custom middleware in every route.
AI agent backends
Agents that call your API need scoped credentials. Issue short-lived tokens with narrow permissions so agents can act on behalf of users without broad access.
Ready to skip the auth sprint?
Heimdall is rolling out to early access users soon. Join the waitlist to get access to the API, documentation, and direct support from the team building it.