Organizational Context Inside Every Token

Keymate enriches identity tokens with deep organizational context—like department, unit, title, and session role—enabling scoped, policy-aware decisions for every request. No hacks, no guesswork.

Context-Rich Tokens for Scoped and Precise Authorization Decisions

How Org-Aware Tokens Power Scoped Authorization

With Keymate, each session token carries rich metadata about the users organizational context: Assigned organization and department, Session-specific role (or delegated "hat"), Position, clearance level, and more. This context is stored in Keycloak session notes and injected into the token at login. Authorization decisions can then evaluate org-unit-based scopes, enabling policies like "Allow if user is from the same department", "Only supervisors from this unit may approve", or "Grant access if user holds delegated role within org X". Scoped access control becomes precise, traceable, and centrally managed—across APIs, services, and meshes.

Token Enrichment Flow

Policies can evaluate org-unit scopes, such as department, role, or unit, for precise and traceable access control.

What Makes It Unique

Org-Unit Enriched Tokens

Tokens carry department, org ID, position, clearance, and delegated role info.

Runtime Scoped Policies

Authorizations can use real-time org context for more accurate decisions.

Delegated Role Binding

Temporarily act on behalf of another role within your org unit—securely scoped.

Session-Aware Impersonation

Admins can impersonate with org-bound restrictions to avoid privilege escalation.

Keycloak Session Note Sync

Leverages native Keycloak session notes without custom token injection hacks.

OpenFGA-Ready Context

All org-unit data is mapped to OpenFGA model for high-performance checks.

Frequently Asked Questions

It means that every token includes real-time details like which organization, department, or role the user is operating under—enabling scoped and accurate access decisions.

Yes. Keymate dynamically injects org-context using session notes and structured enrichment, without requiring token mappers or custom code.

Absolutely. Delegated roles are session-bound and stored in tokens, making temporary authorization easy to enforce and audit.

Yes. The DSL language and OpenFGA integration fully support evaluating tokens using org, department, position, and even impersonated roles.

How to Use This Feature

Follow these simple steps to enrich your tokens with organizational context.

Implementation Steps

Configure your org/dept structure in the Admin Console

Assign users to their default org units

Use the Delegation module to define "hats" or temp roles

During login, Keymate stores selected org context into session notes

Tokens are automatically enriched from session notes

Write policies using token.org, token.user.department, etc.

View session logs and org-scope audits in observability dashboard

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.