Authentication and authorization
—fully offloaded.
Ship Firebase-grade sign-in and OPAL/OPA-grade policy control with one Identity + Policy plane.
Describe intent. Celeris generates policies, tests, and guardrails.
Auth Studio
Firebase-grade authentication with enterprise SSO, multi-tenant orgs, and complete user lifecycle management.
Welcome back
Sign in to continue to your account
Multi-tenant Ready
Organizations with products, teams with roles. Built for B2B SaaS from day one.
MFA & Risk Signals
Adaptive MFA, device fingerprinting, and anomaly detection built in.
Full API & SDKs
Headless or hosted. React, Vue, Next.js, and server SDKs included.
Authorization, offloaded
Stop writing permission logic in every service. Centralize with OPA/Rego policies. Distribute with OPAL-style sync. Enforce everywhere.
POST /api/invoices/inv_123/export
{
"user": { "id": "u_456", "role": "finance_viewer", "org": "acme" },
"resource": { "type": "invoice", "id": "inv_123", "tenant": "acme" },
"action": "export"
}
rbac.rego:45 → finance_permissions
0.8ms
Rego Policies
Express any authorization logic with OPA's declarative policy language.
OPAL Distribution
Push policy bundles and data updates to OPA agents with sub-second latency.
Decision Logs
Every decision traced: input, policy, result, reason, latency. Full audit trail.
Sub-ms Latency
Local evaluation with cached policies. No round-trips. Offline-friendly.
Policy Copilot
Describe what you want in plain English. Get production-ready Rego policies, comprehensive tests, and intelligent guardrails.
// Policy will appear here...// Test cases will appear here...Policies as code
Test policies in CI. Canary to a subset. Watch metrics. Roll forward with confidence.
Top Deny Reasons (Canary)
Enforcement everywhere
Connect Auth and Policy to your entire stack. From API gateway to edge workers, every decision point is covered.
Envoy-compatible external authorization. Validate tokens and evaluate policies before requests reach your services.
Istio and Linkerd integration. OPA sidecars evaluate service-to-service calls with full context.
Cloudflare Workers, Vercel Edge, Deno Deploy. Validate and authorize at the edge with cached policies.
Node.js, Go, Python, Ruby SDKs. Local decision cache with background sync. Sub-millisecond checks.
AWS Lambda, Celeris Functions, Google Cloud Functions. Embedded OPA with pre-loaded policies.
Each preview environment gets its own policy bundle. Test policy changes before they hit production.
GitHub Actions, GitLab CI, Jenkins. Run OPA tests on every PR. Block deploys if tests fail.
Built for trust
Enterprise SSO. Comprehensive auditing. Tenant isolation. Everything you need to pass security reviews.
SSO & SCIM
- SAML 2.0 & OIDC
- Okta, Azure AD, OneLogin
- SCIM user provisioning
- JIT user creation
Audit & Logs
- Complete audit trail
- Decision logs with context
- Configurable retention
- SIEM exports (Splunk, Datadog)
Access Control
- RBAC + ABAC + Rego
- Fine-grained permissions
- Resource-level policies
- Temporal access (expiring grants)
Tenant Isolation
- Org/product scoped data
- Isolated policy bundles
- Per-tenant encryption keys
- Data residency controls
Security
- Rate limiting & throttling
- Bot protection hooks
- Anomaly detection (AI)
- Brute-force protection
Compliance
- SOC 2 Type II ready
- GDPR data controls
- HIPAA-eligible config
- Penetration tested
Ready to offload auth and authz?
Start with the free tier. Scale to enterprise.