Identity for teams and their agents.

Auth is the identity backbone for every AI Hero deployment. It speaks OAuth 2.1 and OIDC, ships 2FA and passkeys by default, and is built for a world where the thing on the other side of an access token might be an agent rather than a person.

Every customer app runs in its own dedicated VPC; Auth is the single sign-on layer above. Tokens are scoped to the app that issued them, so a credential for one deployment cannot be replayed against another.

Bespoke SaaS still needs serious identity. We tried the off-the-shelf options and kept finding the same problem: they treat agents as second-class clients or don't model multi-tenant data planes at all. Auth was the first solution we extracted because every engagement needs it on day one.

OIDC out, OAuth in. Single global sign-on via auth.aihero.studio. Sessions are scoped to the customer app that issued them; tokens cannot be replayed across deployments. The authorization server runs as a hardened workload inside our SOC 2 Type 2 certified cloud.

Every customer engagement uses Auth from the first day. We wire it to the customer's identity providers (Google, Microsoft, SAML, whatever they need) and run it for them. They do not run an IdP; we do.