Guides are task-oriented recipes for the things you build after your first sign-in works. Each one starts from a real goal — onboard an enterprise customer, pick an authorization model, harden for production — and walks the concrete steps. If you are just getting started, begin with the [Quickstarts](/docs/quickstarts) instead.

## Build a multi-tenant app

Model your B2B customers as [Organizations](/docs/organizations): each organization has its own memberships, org-scoped roles, and invitations, all inside a single environment. This guide covers creating organizations, inviting members, and reading the active organization from a session claim so your app can scope data per customer.

## Onboard enterprise SSO

Let a customer sign in with their own identity provider over SAML 2.0 or OIDC. Okta, Microsoft Entra ID, JumpCloud, Ping Identity, and BeyondTrust are first-class connections you configure per environment. This guide walks the metadata exchange, domain-based routing, and testing a connection before you hand it to the customer's IT team.

## Provision users automatically

Keep your user store in sync with a customer's directory using [provisioning](/docs/concepts/provisioning). Set up SCIM 2.0 (`/v1/scim/v2`, tokens prefixed `adscim_`) or the HRIS connector (`/v1/hris/v1`, tokens `adhris_`), then map IdP or HRIS groups to roles so membership changes grant and revoke access without manual work.

## Choose an authorization model

Every environment uses exactly one of three models — pick per environment based on how your access rules are shaped:

- **RBAC** — roles grant permissions; best for seat-based, role-driven apps.
- **ABAC** — attribute policies written in Rego, evaluated at the edge.
- **FGA** — Zanzibar-style relationship tuples for fine-grained, per-object access.

The [Authorization](/docs/concepts/authorization) concept page compares the trade-offs so you can commit with confidence.

## Harden for production

Before you ship: use a separate environment per stage (dev, staging, production) so keys and connections never cross. Rotate signing keys on a schedule, restrict allowed redirect URIs, and subscribe to [events](/docs/backend) via HMAC-signed webhooks (`X-Authdog-Signature: t=...,v1=...`) with durable retry for audit and downstream sync.

## Migrate an existing user base

Move users from a legacy system into Authdog without forcing a mass password reset. This guide covers bulk import, identity linking by verified email, and a phased cutover where both systems validate sessions during the transition.

## Related

- [Users](/docs/users) — the user object and lifecycle.
- [Backend requests](/docs/backend) — server-side session validation.
- [Account portal](/docs/account-portal) — hosted, zero-config auth UI.
