Keymate Logo

Smarter Tokens, Powered by Risk Signals and HR Data

Keymate enriches every session token with dynamic signals from external Risk Engines and HRMS platforms. This enables context-aware, organization-sensitive, and risk-adaptive authorization decisions—right at the policy layer.

Smarter Tokens, Powered by Risk Signals and HR Data

From Identity to Context-Rich Sessions

Traditional tokens only identify the user. Keymate goes further by enriching tokens with: Organizational attributes: department, unit, role, manager, clearance. Session-bound delegation data: "acting as" roles, temp access (hat). Risk signals: IP reputation, geolocation mismatch, time anomaly, device fingerprint, risk score. HRMS-derived context: title, employment status, supervisor chain, leave status. These attributes are injected during login via integration with: Risk Engine APIs (e.g., location scoring, device risk). HRMS systems via event-driven sync or direct API. Keycloak session notes, which carry the enriched context into tokens. All of this feeds into Keymate's DSL and OpenFGA policies—enabling real-time decisions like: "Allow only if riskScore < 70 and user is not on leave", "Allow if acting role is permitted and org matches", "Deny login if device risk is high and department is finance".

Context-Rich Token Enrichment

Enrich session tokens with dynamic risk signals and organizational context for intelligent, adaptive authorization decisions.

Example: Dynamic signals from Risk Engines and HRMS platforms

Key Components:

Risk Engine Integration
HRMS Data Sync
Session Note Enrichment
Dynamic Token Context
Policy-Aware Decisions

What Makes It Unique

Dynamic Token Enrichment

Risk and HR signals injected at login and stored in session notes

Session-Aware Delegation

HRMS-based roles like deputy, interim, or "hat" stored in token

Real-Time Risk Evaluation

IP, time, location, and device-based risk scoring APIs

Event-Based HRMS Sync

Uses Kafka-based updates to reflect HR data changes instantly

DSL-Accessible Risk Signals

Use token.riskScore, token.onLeave, token.deviceTrust in policies

OpenFGA-Compatible Context

Enriched values are used as relation parameters in ReBAC decisions

Keycloak Session Notes Integration

Fully compatible with native session structure—no hacks

Frequently Asked Questions

Any engine with an API. IP, location, device, and anomaly scores can be queried during login.
Via direct API calls, scheduled sync, or Kafka-based event ingestion.
Yes. Enrichment can also happen on token refresh or session renewal events.
Yes. Enriched values are stored in session notes and injected into tokens natively.

How to Use This Feature

Follow these steps to enable risk and HRMS token enrichment.

Implementation Steps

1

Connect your HRMS system and Risk Engine via API or event stream

2

Map relevant user attributes (e.g., clearance, org, leaveStatus, actingRole)

3

Configure login flow to enrich session notes from external data

4

Inject these notes into tokens using Keymate's session enrichment flow

5

Write DSL or OpenFGA policies using enriched token claims

6

Monitor enriched sessions and policy triggers in observability dashboards

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.