Iter Iter

Organizations, Teams & Role-Based Access

A dedicated auth service with JWT authentication, multi-tenant organizations, team management, and granular role-based access control - all self-hosted.

Get Started See Features
Project features with role-based access

Identity & access management

1

Organizations

Multi-tenant by default. Each org is fully isolated - users, teams, roles, and projects are scoped to a single organization.

2

Users & authentication

JWT-based auth with access and refresh tokens. Bcrypt password hashing, token rotation on refresh, and full revocation on logout or password change.

3

Teams

Group users into teams within an organization. Manage membership, assign team-level context, and organize around projects or capabilities.

4

Role-based access control

Three built-in roles - Explore (read-only), Create (read + write), Mod (full admin). Roles can be assigned org-wide or scoped to individual projects.

Security & compliance

JWT tokens

HS256-signed access tokens (1-hour TTL) with refresh token rotation (30-day TTL). Claims include org, role, and team membership.

Audit logging

Every auth event is logged: login, logout, failed attempts, password changes, role assignments, user creation, and deactivation.

Project-scoped roles

Assign roles at the org level or per-project. A user can be "explore" org-wide but "mod" on a specific project.

Service-to-service auth

Shared service tokens for internal communication between microservices. JWT validation in the API gateway middleware.

Built-in roles

Explore

Read-only access for stakeholders and observers.

  • View projects & tasks
  • Read reports & events
  • Browse interaction history

Create

For developers who build and ship.

  • Everything in Explore
  • Create & edit projects
  • Write tasks & comments
  • Run orchestration

Mod

Full admin access for team leads.

  • Everything in Create
  • Manage users & teams
  • Assign & revoke roles
  • Organization settings

Related features

Orchestration Pipeline

Auth gates protect orchestration - only Create and Mod roles can run pipelines.

Learn more
📋

Evidence Verification

Audit trails link execution evidence to authenticated users.

Learn more
🏠

Self-Hosted

Your auth data stays on your infrastructure. No third-party identity provider required.

Learn more

Secure your AI workflow

Get Started Read the Docs