Authdog

Guides

Last updated Jul 11, 2026
View as Markdown

Guides are task-oriented recipes for the things you build after your first sign-in works. Each one starts from a real goal — onboard an enterprise customer, pick an authorization model, harden for production — and walks the concrete steps. If you are just getting started, begin with the Quickstarts instead.

Build a multi-tenant app

Model your B2B customers as Organizations: each organization has its own memberships, org-scoped roles, and invitations, all inside a single environment. This guide covers creating organizations, inviting members, and reading the active organization from a session claim so your app can scope data per customer.

Onboard enterprise SSO

Let a customer sign in with their own identity provider over SAML 2.0 or OIDC. Okta, Microsoft Entra ID, JumpCloud, Ping Identity, and BeyondTrust are first-class connections you configure per environment. This guide walks the metadata exchange, domain-based routing, and testing a connection before you hand it to the customer's IT team.

Provision users automatically

Keep your user store in sync with a customer's directory using provisioning. Set up SCIM 2.0 (/v1/scim/v2, tokens prefixed adscim_) or the HRIS connector (/v1/hris/v1, tokens adhris_), then map IdP or HRIS groups to roles so membership changes grant and revoke access without manual work.

Choose an authorization model

Every environment uses exactly one of three models — pick per environment based on how your access rules are shaped:

  • RBAC — roles grant permissions; best for seat-based, role-driven apps.
  • ABAC — attribute policies written in Rego, evaluated at the edge.
  • FGA — Zanzibar-style relationship tuples for fine-grained, per-object access.

The Authorization concept page compares the trade-offs so you can commit with confidence.

Harden for production

Before you ship: use a separate environment per stage (dev, staging, production) so keys and connections never cross. Rotate signing keys on a schedule, restrict allowed redirect URIs, and subscribe to events via HMAC-signed webhooks (X-Authdog-Signature: t=...,v1=...) with durable retry for audit and downstream sync.

Migrate an existing user base

Move users from a legacy system into Authdog without forcing a mass password reset. This guide covers bulk import, identity linking by verified email, and a phased cutover where both systems validate sessions during the transition.

Learn more