Overview
ArrowLabs Auth is a hosted, multi-tenant identity platform. This page is the mental model you need before integrating.
Organisations are the tenant boundary
Section titled “Organisations are the tenant boundary”Every user, application, session, and event belongs to exactly one organisation. Cross-organisation access is impossible by design. Each org has its own branded sign-in at {orgslug}.arrowlabs.co.uk.
Applications are your clients
Section titled “Applications are your clients”An application is a registered OAuth client — your app. It has a client_id (and, for confidential clients, a client_secret), a set of redirect URIs, and the platform events it subscribes to. Users are granted access to applications.
Two token surfaces
Section titled “Two token surfaces”| Token | What it is | Lifetime |
|---|---|---|
| Access token | An RS256 JWT, audience-bound to your client_id. Validated offline against the platform JWKS. | 15 minutes |
| Refresh token | Opaque, rotated on every use, replay-detected. | 30-day sliding / 90-day absolute |
Your API validates access tokens locally — the auth API is never on your request hot path. See Tokens & validation.
OAuth 2.1 + OIDC
Section titled “OAuth 2.1 + OIDC”Users authenticate through the Authorization Code flow (confidential clients) or Authorization Code + PKCE (public clients — SPAs, mobile). plain PKCE is rejected; S256 only. See OAuth & PKCE.
Platform events
Section titled “Platform events”State changes (a user registered, was suspended, had roles changed, …) are published as platform events to a RabbitMQ topic exchange via a transactional outbox. Your application binds a queue and consumes the events it cares about. See Platform events.
Two SDKs
Section titled “Two SDKs”@arrow-labs/auth-sdk(TypeScript) — browser core, React adapter, Node server helpers, event consumer.ArrowLabs.Auth.Client(.NET) — JWT bearer validation, OAuth client, hosted event consumer.
Both expose the same concepts with idiomatic surfaces for their ecosystem.