The platform behind your platform
Keystone packages the boring-but-critical parts of every SaaS, identity, access control, feature flags, metering, and billing, as composable, multi-tenant services behind a single API. Adopt one, or all five.
Identity
A complete identity layer: authenticate users, organize them into tenants, and issue scoped credentials, without standing up your own auth service.
Email + password
Constant-time, enumeration-safe credential auth.
Passwordless
Emailed one-time sign-in codes.
TOTP MFA
Authenticator enrollment + recovery codes.
Organizations
Tenants with slugs, members, and settings.
Roles & members
owner, admin, billing, developer, member, viewer.
Invitations
Email invites with expiry and role assignment.
API keys
Scoped, prefixed, one-time-revealed, revocable.
Sessions
Rotating refresh tokens with reuse detection.
- Email + password, passwordless codes, and TOTP MFA out of the box
- Organizations, roles, members, and invitations
- Rotating refresh tokens with reuse detection
- Scoped API keys for your data plane
Access Control
A managed authorization layer over OpenFGA. Define your model declaratively, write relationships, and get fast, fail-closed decisions across RBAC, ReBAC, and ABAC.
RBAC
Roles mapped to fine-grained permissions.
ReBAC
Relationship + hierarchy based access.
ABAC
Contextual conditions on grants.
check
Single decision, fail-closed.
batch-check
Many decisions in one call.
expand
Explain who has a relation.
list-objects
Resources a subject can access.
Per-tenant model
Compiled OpenFGA model per tenant.
- Model resource types, roles, and relationships
- Fail-closed decisions: check, batch-check, expand, list-objects
- Relationship-based inheritance and resource hierarchy
- Contextual (ABAC) conditions
Feature Flags
Ship safely with multivariate flags, per-environment targeting, and an entitlements engine that turns plans into enforceable feature grants and limits.
Multivariate flags
boolean, string, number, json.
Per-environment
Different values per beta/stage/prod.
Targeting
Attribute rules + percentage rollout.
Kill switches
Instant disable with cache invalidation.
Plans
Bundle features + limits into plans.
Assignments
Assign plans to org/group/user.
Overrides
Per-subject limit overrides.
Resolution
Precedence-resolved entitlements.
- Boolean, string, number, and JSON flags
- Per-environment values with targeting + percentage rollout
- Entitlement plans and per-subject overrides
- Kill switches with instant invalidation
Metering
Meter anything, idempotently. Fold raw events into windowed counters, enforce limits with overrides and top-ups, and gate hard quotas with a 402.
Meter catalog
sum, max, last, unique aggregations.
Idempotent ingest
Dedup by event id; late events ok.
Windows
day / month / lifetime counters.
Limits
Per-meter default limits.
Overrides
Per-subject limit overrides.
Top-ups
Time-bounded additional allowance.
Soft mode
Allow + bill overage.
Hard mode
Block at limit with 402.
- Idempotent event ingestion (dedup by id)
- Day / month / lifetime windowed counters
- Limits, per-subject overrides, and time-bounded top-ups
- Soft (bill overage) or hard (402) enforcement
Billing
An in-house rating engine fronted by a Merchant-of-Record boundary. Compute every pricing shape; let the MoR handle PCI, tax, and dunning.
Pricing models
flat, seat, tiered, volume, usage, hybrid.
Coupons & trials
Discounts and trial periods.
Versioned plans
Time-bounded, never mutated.
Bundles
Multi-product plans.
Subscriptions
Create, change, cancel with proration.
Top-ups
Quote → checkout → usage override.
Invoicing
Idempotent, with usage lineage.
Ledger
Append-only revenue records.
- Flat, seat, tiered, volume, usage, and hybrid pricing
- Versioned, time-bounded plans (never mutated)
- Proration, coupons, trials, and top-ups
- Idempotent invoicing with usage lineage
Want early access?
Join the waitlist and we'll invite you as we open up the private beta.