Prism — Identity & Authorization Platform
Prism is a self-hosted identity and authorization server for multi-tenant environments. It manages organizations, projects, service accounts, and fine-grained access policies — issuing JWT tokens, X.509 certificates, and SSH certificates to authenticated principals.
Get started →What Prism provides
Organizations & Projects
Fully isolated multi-tenant organizations, each with their own projects, users, service accounts, and policy grants. No data leaks between tenants.
Service Accounts & API Keys
Machine identities with scoped API keys and public-key pairs. Service accounts receive JWT tokens with canonical subject claims usable across services.
Cross-Org Identity Assumption
A service account in one organization can assume an identity in another through OpenID trust relationships — enabling secure cross-org automation without shared secrets.
Certificate & SSH CA Issuance
Per-organization X.509 CA for mTLS, and SSH certificate authority for principal-aware SSH access. Certificates carry the caller's Prism identity.
Fine-Grained Access Policies
Cedar-based policy engine with organization and project-scoped grants. Grants support expiry, conditions, and glob-pattern permissions.
Encrypted Secret Stores
Project-scoped key-value stores with server-side encryption. Policies control which service accounts can read or write individual keys or key prefixes.
Audit Events
Every authentication and authorization decision is logged as a structured audit event scoped to the organization, queryable via API.
GitHub Actions Integration
Built-in trust for GitHub Actions OIDC tokens. A CI job can assume a Prism service account identity without managing long-lived credentials.
Use case guides
- Cross-Organization Service Account Assumption Configure a service account in one Prism organization to assume an identity in another organization using OpenID token exchange.
More guides coming soon.