— 01
A separate audience
Staff sign in through their own flow, with their own factors, their own session TTL, their own audit stream.
Internal tools deserve better auth than your product.
Customer auth and staff auth answer different questions. Authaz keeps them separated by design — same primitives, different audience, different rules.
OPERATIONS
▦Users142
⌘Sessions1.8k
⚑Tenants38
⊕Invites12
SAFETY
⚠Risk events3
⚿Break-glass
⏱Audit log
CONFIG
⚙Roles
⚒Policies
OPERATIONS · USERS
All users · acme
ExportImpersonate
ACTIVE · 24H
1,824
+12.4%
FAILED LOGINS
37
+8
RISK · ELEVATED
3
step-up
P99 DECISION
1.4ms
stable
USER
ROLE
LAST SEEN
STATUS
VM
Val Marsh
val@acme.com
owner
2m ago
active
⋯
RW
Rod Walsh
rod@acme.com
admin
9m ago
active
⋯
SK
Sam Kerr
sam@acme.com
developer
1h ago
idle
⋯
FX
Former X
former@acme.com
—
14d ago
revoked
⋯
LB
Lee Bryant
lee@acme.com
billing-admin
3h ago
idle
⋯
The problem
Internal tools shouldn't share login with the product.
Customer auth and staff auth answer different questions. Mixing them is how a leaked customer password ends up reading your prod database. Authaz keeps them separated by design — same primitives, different audience.
— 02
Strong by default
Corp IP allow-list, corp SSO, WebAuthn — required, not optional. We refuse to issue staff sessions without them.
— 03
Built for support
Impersonation, break-glass, scoped read-only sessions, time-boxed grants — the workflows your support team already needs.
The basics
Internal-grade controls, on by default.
— 01
Six guardrails — all enforced.
Network, identity, MFA, authz, danger-protection, session lifetime. Authaz checks every one before a staff session is issued — and again on every sensitive call.
- fail closed if any check is missing
- tenant-aware · scope to a single org
- audited from the first request
networkcorp ip allow-list · OR · vpnenforced
identitycorp sso · workforce onlyenforced
mfawebauthn · max-age 4henforced
authzstaff · sub-roles · scoped resourcesenforced
dangerbreak-glass for delete · 2 approversenforced
sessionttl 4h · idle 15m · revoke from consoleenforced
— 02
Impersonation that doesn't lie.
Support engineers see what users see — but every action is logged in both audit streams. Sessions expire automatically. No "I forgot to switch back" incidents.
- mandatory ticket / reason on start
- configurable TTL · idle revoke
- read-only by default · escalate explicitly
IMPERSONATING · 12:14 → 12:29
Acting as val@acme.com
You're seeing exactly what Val sees. Every action is tagged in their audit log and in yours.
tenantorg_acmeroledeveloperttl15:00 remainingreasonsupport · ticket #4218limitsread-only · no billing · no auth changes
session ends · auto-revokes at expiry
— 03
Audit stream worth reading.
Every staff action — impersonation, flag flip, key rotation, denied break-glass — captured with actor, target, reason, and outcome. Streamed to your SIEM in real time.
- structured · queryable · diffable
- streams to Datadog · Splunk · S3
- retention policy per event type
12:14:02⇄kim@authaz started impersonation of val@acme.com · #4218
12:13:48✎jess@authaz updated flag billing.v2 · acme · enabled
12:11:09!rob@authaz attempted /v1/orgs.delete · denied · break-glass needed
12:09:33+jess@authaz invited niko@authaz · staff · admin
12:04:22∂jess@authaz rotated api key · org_lumen · key_4f
12:01:18✓kim@authaz sso login · okta · webauthn · ip 198.51.100.12
Code
One middleware. Whole console covered.
backoffice/middleware.tsstaff-only
export const requireStaff = authaz.guard({
audience: "staff",
network: ["corp_ip", "vpn"],
factor: "webauthn",
max_age: "4h",
audit: true,
});
Spec
The fine print, up front.
Audience model
separate
staff audience · isolated from customer authNetwork controls
corp IP allow-list · VPN · BeyondCorp-style identity-aware proxy
Identity
corp SSO · WebAuthn required · TOTP fallback
Impersonation
time-boxed · reason-required · mutual audit · scope-limited
Break-glass
2-of-N approvals · post-hoc review · auto-revoke
Session lifetime
TTL 4h · idle 15m · per-action step-up
Audit
every action · streamed · per-actor + per-target views
Pricing model
flat per staff seat · unlimited customer impersonations
Pairs with
One platform. Every primitive.
Every Authaz product shares the same primitives — sessions, policies, audit, tenants. Pick what you need today; add the rest when you do.
01 · RBAC & PERMISSIONS
RBAC & Permissions
Role-based access controls for customer and admin surfaces.
Read more →
02 · MULTI-FACTOR AUTHENTICATION
Multi-factor Authentication
MFA support with TOTP and communication-based factors.
Read more →
03 · AUTHENTICATION FLOWS
Authentication Flows
Password, magic code/link, and social login out of the box.
Read more →
Get started
Lock the back office. Don't lock yourself out of it.
Staff auth, support workflows, audit that holds up — without standing up a second system.