Audience: stakeholders, partners, and investors. This page explains why the
architecture matters and where it stands. For the engineering detail see
Architecture.
Why identity is foundational
For a platform that runs AI, hosts customer workloads, and bills by usage, identity and entitlements are not a feature — they are the control plane for trust and cost. Three things depend on getting them right:- Trust — customers and enterprises only adopt what they can safely give access to.
- Cost control — every AI call costs money; access must map precisely to what a customer has paid for.
- Scale — onboarding many users safely requires that “who can do what, and how much” is enforced by the system, not by hope.
The model in one picture
Sign in once. Carry a tamper-proof, expiring token. Every door is closed by default and opens only what the customer’s plan and permissions allow.What makes it strong
Managed, best-in-class
Auth0 for identity, OpenFGA for fine-grained authorization, Cloudflare at the
edge, Stripe for billing. We integrate proven systems instead of inventing our own.
Defense in depth
Two independent authorization gates. A miss at one layer is caught by the next.
Fail-closed by default
When anything is uncertain, access is denied. Safety is the default state, not an
add-on.
Cost is gated, not hoped
Paid AI usage is tied to entitlements and quotas, protecting margin as usage grows.
Agents stay in their lane
An AI agent acting for a user inherits exactly that user’s rights — never more.
Delegation is standards-based (RFC 8693).
Self-hostable
The same authorization model runs self-hosted for enterprise and air-gapped
deployments — no second, weaker code path.
Built on open standards
| Capability | Standard |
|---|---|
| Login & single sign-on | OpenID Connect / OAuth 2.0, Universal Login, PKCE |
| Delegated “agent acts for user” | OAuth 2.0 Token Exchange (RFC 8693) |
| Fine-grained permissions | Relationship-based access control (ReBAC / OpenFGA) |
| Capability flags | OpenFeature (vendor-neutral) |
| Connector discovery | Protected-resource metadata (RFC 9728) |
Where it stands today
We are transparent about maturity because a credible security story is an honest one.Authentication
Live & enforcing. Sign-in works across products; the edge rejects
unauthenticated and invalid requests in production today.
Authorization & entitlements
Provisioned, in staged rollout. The fine-grained engine and the billing-linked
entitlement pipeline are built and being promoted from audited shadow mode to full
enforcement, gate by gate.
Public beta
Controlled, deliberate. A limited, well-defined surface goes first, behind the
enforced gates — so we scale users without scaling risk.
Why staged enforcement is a feature, not a gap
Flipping every permission check to “enforce” on day one is how platforms cause outages and lock out paying customers. kombify instead runs each gate in shadow mode first — making the real decision and recording what it would do — and only promotes a gate to enforcement once the audit proves zero false denials against real users. It is reversible at any point. This is the same risk-managed rollout discipline mature platforms use; it is what lets us open a public beta confidently.The bottom line
kombify’s identity and entitlements layer is a deliberate, standards-based, defense-in-depth control plane that ties access and cost directly to what a customer has paid for. Authentication is live; authorization and entitlements are built and rolling out under an audited, reversible process designed specifically to make a many-user public beta safe.For the technical contracts behind these claims, see
Authentication & Entitlements — Technical Architecture.
