Skip to main content

What is LumoAuth?

LumoAuth is a multi-organization identity and access management (IAM) platform. It handles authentication, authorization, and identity management from a single service, so applications do not have to implement these themselves.

Functionally, LumoAuth covers the same ground as Auth0, Okta, or Keycloak. It implements the standard protocols — OAuth 2.0, OpenID Connect, SAML 2.0, SCIM 2.0 — and adds adaptive MFA, fine-grained authorization (Zanzibar-style), and first-class identity for AI agents.

Who is LumoAuth for?

Use caseDescription
B2B SaaSMulti-organization applications where each customer gets an isolated environment (users, branding, settings).
B2C applicationsConsumer apps that need social login, passwordless, and MFA.
EnterpriseIntegrations with Active Directory, SAML IdPs, and enforcement of compliance policies.
Internal toolsProtected internal APIs and dashboards with RBAC and audit logging.
AI and automationVerified identities for AI agents and autonomous workloads.

Feature summary

Authentication

  • Email and password — standard credential login with email verification
  • Social login — Google, GitHub, Microsoft, Facebook, Apple, LinkedIn, and custom OIDC providers
  • Multi-factor authentication (MFA) — TOTP, SMS, email codes, and backup codes
  • Adaptive MFA — risk scoring that triggers MFA only when needed
  • Passkeys / WebAuthn — FIDO2 passwordless login
  • Enterprise SSO — SAML 2.0 (as IdP and SP), OIDC federation, LDAP / Active Directory
  • Device flow — RFC 8628 authentication for CLI tools and input-constrained devices

Multi-tenancy

  • Data isolation — each organization has its own users, roles, permissions, and OAuth clients
  • Organization portal — self-service admin dashboard at /orgs/{orgId}/portal/
  • Custom domains — branded login pages on your own domain
  • Per-organization configuration — independent auth settings, social providers, email templates

Authorization and access control

  • Role-Based Access Control (RBAC) — roles grouping named permissions
  • Groups — collections of users that inherit roles
  • Attribute-Based Access Control (ABAC) — context-aware policies (time, IP, resource attributes)
  • Fine-grained authorization (Zanzibar) — relationship-based access control, modeled on Google's Zanzibar paper
  • AI policy authoring — describe a policy in natural language; LumoAuth translates it into enforceable rules
  • Permission tester — check what a specific user is allowed to do, in real time

Standards and protocols

  • OAuth 2.0 — authorization code, client credentials, device code, refresh token, CIBA
  • OpenID Connect — discovery, dynamic client registration, custom claims
  • SAML 2.0 — acts as both Identity Provider (IdP) and Service Provider (SP)
  • SCIM 2.0 — user and group provisioning (RFC 7643 / RFC 7644)
  • DPoP — Demonstrating Proof-of-Possession (RFC 9449)
  • PAR — Pushed Authorization Requests (RFC 9126)
  • RAR — Rich Authorization Requests (RFC 9396)

Compliance and security

  • GDPR — data subject requests, consent tracking, data export, breach reporting
  • Audit logs — append-only record of every operation
  • Rate limiting — per-endpoint protection against brute-force and abuse
  • Signing key management — JWT key rotation, JWKS endpoints, multiple active keys

Integrations

  • Webhooks — event notifications for user-lifecycle events
  • Observability — Datadog and Axiom integration for logs and traces
  • Email templates — customizable transactional emails (welcome, verification, password reset, MFA)
  • SDKs — JavaScript/TypeScript, React/Next.js helpers, and wrappers for common AI agent frameworks

AI and automation

  • Workload identity — register and authenticate autonomous AI agents
  • Model Context Protocol (MCP) — authorize LLM tool calls and agent actions
  • JIT provisioning — create user accounts on the fly from external IdPs

Architecture overview

Next steps