Skip to content
All features
identity and trustpackages/iam

iam surface

Auth, identity, permissions, tenancy, audit, and secrets

Open docs
Stability
Stable
Scope
Tenant-scoped
Boundary
packages/iam
iampackages/iam
Tenant-isolated
Policy decisionpass
  • Actor verified
    25 ms
  • Tenant scope
    16 ms
  • iam authorized
    22 ms
  • Audit logged
    12 ms
Active session
actor_vcacme_2656
ownermfa
Expires in 48m

Active sessions

794

+7%

Audit entries / day

26,558

Policy checks / s

70

+2%
packages/iamIdentity and trust · single boundary
Usagepermissions.ts
typescript
permissions.ts
1import { ability } from "@nebutra/permissions";
2import { requirePermission } from "@nebutra/permissions/server";
3
4await requirePermission("user.invite", { orgId });
5
6const can = ability(currentUser);
7if (can("delete", "Project", project)) {
8  await deleteProject(project.id);
9}
audit log · 12,847 entries · hash-verified
2sAKadmin.invite_user
14mMRbilling.cancel
1hJTauth.signin
→ hash-chained · SHA-256
auditPackage

audit

Hash-chained, SHA-256 append-only audit log for actor/tenant actions. SOC 2-grade tamper detection, streaming export, and replay-safe queries.

Explore
authPackage

auth

Multi-provider auth — Clerk, Better Auth, or NextAuth. Same React surface, swap providers via preset config. MFA-enforced, session HMAC-signed.

Explore
Select traffic lights
Verify you're human
challenge · 6 tiles
Verified
Cloudflare Turnstile1.2s solve
captchaPackage

captcha

Bot challenge with Cloudflare Turnstile / hCaptcha / reCAPTCHA behind one verify() call. Server-side scoring, per-route enable, no third-party tracker on the client.

Explore
identityPackage

identity

Shared actor primitive — usr_/svc_/api_ ID space, role/membership lookup, tenant attachment. The single identity object every iam package reads.

Explore
third-party app · ‘Acme CI
Requested scopes:
read:projectswrite:deploymentsadmin:billing
Token JWT · 1h TTL
oauth-serverPackage

oauth-server

Stand up your own OAuth 2.1 / OIDC provider. Authorization code + PKCE, refresh rotation, third-party app consent, JWT issuance with 1h default TTL.

Explore
RBAC / ABACpolicy.matrix
admin
member
viewer
read
write
delete
defineAbility() · CASL
permissionsPackage

permissions

RBAC + ABAC engine — CASL for in-process checks, OpenFGA for Zanzibar-style relationships. defineAbility() server, <Can /> in React.

Explore
Acme Robotics
Pro
Globex Corp
Member
Initech Labs
Member
RLS · tenantId scope · AsyncLocalStorage
tenantPackage

tenant

Request-scoped tenant context via AsyncLocalStorage, with Prisma RLS bridge. One tenantId resolves through middleware and propagates the whole stack.

Explore
vaultPackage

vault

Application-layer envelope encryption for customer secrets — AES-256-GCM, per-tenant DEK, KMS-wrapped. Audit-logged read/decrypt, zero plaintext at rest.

Explore
More in domain · identity and trust
auditPackage
packages/iam/audit

Hash-chained, SHA-256 append-only audit log for actor/tenant actions. SOC 2-grade tamper detection, streaming export, and replay-safe queries.

Explore
authPackage
packages/iam/auth

Multi-provider auth — Clerk, Better Auth, or NextAuth. Same React surface, swap providers via preset config. MFA-enforced, session HMAC-signed.

Explore
captchaPackage
packages/iam/captcha

Bot challenge with Cloudflare Turnstile / hCaptcha / reCAPTCHA behind one verify() call. Server-side scoring, per-route enable, no third-party tracker on the client.

Explore
identityPackage
packages/iam/identity

Shared actor primitive — usr_/svc_/api_ ID space, role/membership lookup, tenant attachment. The single identity object every iam package reads.

Explore