The whole platform,
on every plan.
Identra is a complete authentication authority — from a single email sign-in to a SAML federation with access reviews. Six capability domains, one feature set, and not one of them fenced behind a tier.
Sign-in
Sec. 01Passwords, passwordless, one-time codes, passkeys, social, and MFA — the full sign-in matrix, drop-in or headless.
- Email & password
- Passwordless / magic links
- Email & SMS one-time codes
- Passkeys (WebAuthn)
- Social login (Google, GitHub, …)
- Multi-factor authentication (TOTP, backup codes)
Enterprise SSO
Sec. 02SAML 2.0, OIDC, and SCIM provisioning with directory sync and JIT — the enterprise checklist, on the free tier.
- SAML 2.0 SSO
- OIDC SSO
- SCIM 2.0 user provisioning
- Directory sync
- Just-in-time provisioning
Organizations
Sec. 03Multi-tenant orgs with roles, relationship-based access, invitations, and B2B entitlements built in.
- Organizations & memberships
- Roles & permissions (RBAC)
- Relationship-based access (ReBAC)
- Invitations & waitlists
- Entitlements & B2B plans
Developer platform
Sec. 04Typed SDKs for every framework, drop-in UI, hosted flows, webhooks on an event backbone, and a CLI with sandbox mode.
- Drop-in UI components
- Hooks & hosted flows
- All client & server SDKs
- Webhooks & the event stream
- The identra CLI & sandbox mode
Brand & delivery
Sec. 05Custom domains with TLS, complete theming, localized templates, i18n, and a migration importer to bring users across.
- Custom domains & TLS
- Full theming & branding
- Localized email / SMS templates
- Internationalization (i18n)
- Migration importer
Governance & trust
Sec. 06Tamper-evident audit logs, named locations, JIT/PIM, access reviews, service accounts, impersonation, and a risk engine.
- Tamper-evident audit logs
- Named locations & device trust
- JIT / PIM privileged access
- Access reviews & service accounts
- Impersonation & the risk engine
Security is the product, not a setting.
Five decisions are baked into the schema from the first commit — the kind you can't retrofit. They're why the drop-in stays trustworthy as you scale.
Identity is not a credential
A person and the ways they prove it are separate records — add a passkey or revoke a password without touching who they are.
Every tenant, sealed by the database
Application-scoped tenancy is enforced at the row level (RLS), not just in application code. Isolation is a property of the store.
Sessions carry an assurance level
A session knows how strongly it was proven. Step-up to MFA is a first-class state, not a bolt-on.
Signing keys rotate on schedule
Token signing keys rotate with overlap and published JWKS, so verification never breaks and compromise has a short half-life.
Erasure is a real path
Soft-delete plus a genuine erasure path is built into the schema — GDPR isn't a feature request, it's the data model.
Default-deny, fail-closed, and never a secret in a log.
Ten SDKs, one contract.
The API is defined once as an OpenAPI contract; every client and server SDK is generated from it, so types never drift. Drop-in UI where you want speed, headless hooks where you want control.