Hanzo

IAM

Organizations, users, and roles (RBAC) for Hanzo Cloud, powered by Hanzo IAM and the hanzo.id OIDC issuer.

IAM

Hanzo IAM is the identity control plane for Hanzo Cloud. It manages organizations, users, and roles (RBAC), and issues the tokens every other service trusts. All Hanzo apps sign in through a single OIDC issuer: hanzo.id.

Organizations, Users, and Roles

IAM is multi-tenant. Every account belongs to one or more organizations, and every resource is scoped to an organization via the owner claim carried in the JWT. Within an org, roles grant permissions through role-based access control (RBAC).

ConceptDescription
OrganizationTop-level tenant. Billing, projects, and data are all scoped to an org.
UserA member of one or more orgs, authenticated by password, OAuth, passkey, or wallet.
ApplicationAn OAuth/OIDC client registered with IAM, named <org>-<app> (e.g. hanzo-cloud).
RoleA named set of permissions assigned to users for RBAC.

IAM is built on Casdoor, extended for the Hanzo stack. It supports OAuth 2.0 / OIDC, SAML, LDAP, Kerberos/SPNEGO, Web3 wallets, WebAuthn/passkeys, MPC-based key recovery, and MFA.

Single Sign-On with hanzo.id

Every Hanzo service redirects to hanzo.id for authentication. The issuer is fixed:

iss = https://hanzo.id

Fetch the OIDC discovery document to configure any standards-compliant client:

curl https://hanzo.id/.well-known/openid-configuration

See Authentication for the full OAuth 2.0 + PKCE flow, token validation, and the owner claim.

Managing Identity via the API

Identity resources are served under /v1/iam on the gateway. Authenticate with an API key (hk-...) or an IAM bearer token; requests are scoped to the caller's organization.

# List users in your organization
curl https://api.hanzo.ai/v1/iam/users \
  -H "Authorization: Bearer hk-..."

Every request shares the same shape -- https://api.hanzo.ai/v1/<service>/... with a bearer token. For the complete IAM resource reference (organizations, applications, roles, permissions, providers), see Hanzo IAM and the API reference.

  • Authentication -- OAuth 2.0 + OIDC login and session management
  • Organizations -- multi-org setup and switching
  • API Keys -- machine credentials for server-side access
  • KMS -- where IAM stores secrets and signing material
  • MPC -- threshold signing for secure key recovery

How is this guide?

Last updated on

On this page