Skip to content
The instrument in full

The whole platform,
on every plan.

Identra is a complete authentication authority — from a single email sign-in to a SAML federation with access reviews. Six capability domains, one feature set, and not one of them fenced behind a tier.

Sign-in

Sec. 01

Passwords, passwordless, one-time codes, passkeys, social, and MFA — the full sign-in matrix, drop-in or headless.

  • Email & password
  • Passwordless / magic links
  • Email & SMS one-time codes
  • Passkeys (WebAuthn)
  • Social login (Google, GitHub, …)
  • Multi-factor authentication (TOTP, backup codes)

Enterprise SSO

Sec. 02

SAML 2.0, OIDC, and SCIM provisioning with directory sync and JIT — the enterprise checklist, on the free tier.

  • SAML 2.0 SSO
  • OIDC SSO
  • SCIM 2.0 user provisioning
  • Directory sync
  • Just-in-time provisioning

Organizations

Sec. 03

Multi-tenant orgs with roles, relationship-based access, invitations, and B2B entitlements built in.

  • Organizations & memberships
  • Roles & permissions (RBAC)
  • Relationship-based access (ReBAC)
  • Invitations & waitlists
  • Entitlements & B2B plans

Developer platform

Sec. 04

Typed SDKs for every framework, drop-in UI, hosted flows, webhooks on an event backbone, and a CLI with sandbox mode.

  • Drop-in UI components
  • Hooks & hosted flows
  • All client & server SDKs
  • Webhooks & the event stream
  • The identra CLI & sandbox mode

Brand & delivery

Sec. 05

Custom domains with TLS, complete theming, localized templates, i18n, and a migration importer to bring users across.

  • Custom domains & TLS
  • Full theming & branding
  • Localized email / SMS templates
  • Internationalization (i18n)
  • Migration importer

Governance & trust

Sec. 06

Tamper-evident audit logs, named locations, JIT/PIM, access reviews, service accounts, impersonation, and a risk engine.

  • Tamper-evident audit logs
  • Named locations & device trust
  • JIT / PIM privileged access
  • Access reviews & service accounts
  • Impersonation & the risk engine
Engineered to notarize

Security is the product, not a setting.

Five decisions are baked into the schema from the first commit — the kind you can't retrofit. They're why the drop-in stays trustworthy as you scale.

No. 01

Identity is not a credential

A person and the ways they prove it are separate records — add a passkey or revoke a password without touching who they are.

No. 02

Every tenant, sealed by the database

Application-scoped tenancy is enforced at the row level (RLS), not just in application code. Isolation is a property of the store.

No. 03

Sessions carry an assurance level

A session knows how strongly it was proven. Step-up to MFA is a first-class state, not a bolt-on.

No. 04

Signing keys rotate on schedule

Token signing keys rotate with overlap and published JWKS, so verification never breaks and compromise has a short half-life.

No. 05

Erasure is a real path

Soft-delete plus a genuine erasure path is built into the schema — GDPR isn't a feature request, it's the data model.

Default-deny, fail-closed, and never a secret in a log.

Built for developers

Ten SDKs, one contract.

The API is defined once as an OpenAPI contract; every client and server SDK is generated from it, so types never drift. Drop-in UI where you want speed, headless hooks where you want control.