Keymate Features
Explore the comprehensive suite of features that Keymate offers to help you build, manage, and secure your applications.
Organization Management (4)
Seamless Isolation for B2B, B2B2C, and G2C Identity Models
Keymate offers true multi-tenancy — not just realm separation. Each tenant gets isolated org units, policies, user bases, and delegated admins.
Empower Tenants Without Losing Control
Allow each tenant to manage its own users, roles, and org-units — within clearly scoped, auditable boundaries. Keymate gives your partners control, while you keep governance.
Organizational Context Inside Every Token
Keymate enriches identity tokens with deep organizational context—like department, unit, title, and session role—enabling scoped, policy-aware decisions for every request. No hacks, no guesswork.
End-to-End Organization Lifecycle Management
Centralized, fine-grained control over the entire lifecycle of organizations, departments, and units.
Resource Modeling (4)
Swagger-Driven Resource Modeling
Auto-Generate API Resources & Scopes from OpenAPI Definitions
Bulk Policy & Resource Import
Upload Policies and Resources at Scale with JSON or CSV
Policy Template & Reusability
Define Once, Reuse Everywhere—With Parameterized Policy Templates
Smart Policies Powered by Metadata Awareness
Use column-level metadata like sensitivity, owner, or classification from OpenMetadata to drive fine-grained API authorization
Integration (11)
Enforce Authorization at the Gateway—No Code Required
Native plugins for APISIX and Kong to enforce fine-grained access control directly at your API Gateway
Mesh-Native FGAC with Istio and Envoy Filters
Enforce fine-grained access policies across internal service-to-service traffic by integrating Keymate with Istio/Envoy
OpenFGA as a Managed Backend, Fully Integrated with Keymate
Officially supported OpenFGA deployment running as a dedicated backend service, managed by the platform
Smarter Tokens, Powered by Risk Signals and HR Data
Enrich every session token with dynamic signals from external Risk Engines and HRMS platforms for context-aware authorization
Adapt Instantly to Delegation and Absence Events
React to real-time HRMS events for delegation and leave, automatically adjusting permissions and ensuring scoped access
Seamless Transition—Without Breaking Your Existing IAM
Enable safe, staged migration from legacy IAM systems by operating in parallel mode with token exchange support
External Integrations Made First-Class—via gRPC and REST
Dual-mode Event Subscription API for external systems to stream data into Keymate Event Hub securely and efficiently
Manage Event Subscriptions with Confidence and Control
Centralized interface and robust API for defining, validating, and maintaining event subscriptions with identity binding and audit logging
Transform Once, Deliver Everywhere—Format-Aware Event Publishing
Outbox Publisher transforms and routes events to Kafka topics based on subscriber format and delivery rules with schema validation
Keep Your Events Clean, Typed, and Safe—by Design
Built-in schema validation layer that checks every event against expected schemas before delivery with quarantine capabilities
One Catalog. All Events. All APIs. IAM-Aware.
Unified catalog provides single pane of glass to view APIs and events with linked IAM policies, visual discovery, and automated ingestion
Compliance (9)
See Everything, Miss Nothing—From Tokens to Topics
Native OpenTelemetry instrumentation with SigNoz integration for end-to-end observability across authentication, authorization, and event pipelines
Centralized Audit Trails You Can Actually Trust
Comprehensive audit logging that records every IAM event with structured, queryable logs for compliance, forensics, and operational monitoring
Compliance That's Native, Not Bolted-On
Built-in privacy and security controls aligned with KVKK, GDPR, and ISO 27001 for secure, transparent, and auditable IAM
Monitor Authorization Decisions—As They Happen
Stream every access decision—grants, denials, reasons, token context, and matched policies—into a Kafka-based event pipeline in real time
Full Traceability for Event Subscriptions
Log every subscription creation, update, and deletion action—capturing actor identity, resource context, policy bindings, and downstream impacts
Catch Every Event Error—Before It Becomes a Problem
Capture and classify every failure during event transformation with structured logs at INFO, WARN, and ERROR levels for operations, compliance, and development
Keycloak Logs Reimagined for Modern Observability
Beyond Defaults—Telemetry-Ready, Policy-Aware, Multi-Tenant Logging for IAM Core
Follow the Full Journey of Every Event
From Producer to Policy Enforcement—Trace Every Event Across Your IAM Landscape
A Single Source of Truth for Security and Compliance
Immutable, Tenant-Aware, and Fully Traceable Audit Logging for Everything That Matters
Deployment (5)
Cloud-Native IAM, Deployed the GitOps Way
Zero-Friction, GitOps-Friendly IAM Deployment on Any K8s Cluster
Deploy Anywhere—Even Without Internet
IAM That Works in Offline, Highly Regulated, and Zero-Trust Environments
Your IAM, Inside Your Cloud
Dedicated IAM Deployments, Fully Isolated Within Your Own Cloud Network
SaaS Without Compromise
Fully Isolated, SLA-Backed IAM Hosting—Delivered as a Hard-Tenant Cloud Service
Seamless IAM Across Environments—Without Configuration Drift
Promote, Isolate, and Govern IAM Across Dev, Test, and Prod
Platform (4)
A Secure Foundation for IAM Admin Interfaces
A React + Next.js Framework Optimized for Secure, Scalable IAM Frontends
One Console to Govern All Access
A Centralized, Secure, Tenant-Aware UI for IAM Governance
Modular by Design. Tailored by Need.
Modular IAM Console Components for Tenant-Specific Governance Needs
Write Complex Policies—Visually or in Code
Fast, Safe, and Human-Readable Policy Authoring for All Teams