For a deep dive into the identity architecture, see Identity & security concepts.
Authentication methods
| Method | Use case | Recommended for |
|---|---|---|
| Passkeys (WebAuthn) | Passwordless login | Human users (default) |
| OIDC/SSO | Enterprise federation | Teams, organizations |
| mTLS certificates | Service-to-service | Agents, workloads |
| API keys | Programmatic access | Scripts, CI/CD |
| SSH keys | Server access | Direct server management |
Quick decision guide
I'm setting up kombify for personal use
I'm setting up kombify for personal use
Use the default passkey authentication:
- Register a passkey during signup
- Add a backup passkey for recovery
- No passwords to remember or rotate
I'm setting up kombify for my team
I'm setting up kombify for my team
Use Zitadel OIDC with kombify Cloud:
- Centralized user management
- Role-based access control
- SSO across all kombify tools
I need to integrate with existing corporate SSO
I need to integrate with existing corporate SSO
Configure SSO integration:
- OIDC or SAML federation
- Map existing groups to kombify roles
- Maintain single identity source
I need programmatic access for automation
I need programmatic access for automation
Use API keys or mTLS certificates:
- API keys for simple scripts
- mTLS for production workloads
- Both support scoped permissions
Security defaults
kombify ships with secure-by-default settings:- Passkey-only login (no passwords by default)
- mTLS for agents (no static API keys in config files)
- Short-lived tokens (1 hour access tokens)
- RBAC via groups (least privilege by default)
Next steps
Identity concepts
Understand the full identity architecture
Zitadel setup
Configure Zitadel as your IdP
SSO integration
Connect to enterprise SSO
API keys
Set up programmatic access