AuthHubSecure access control
for healthcare systems
Enterprise AuthHub provides relationship-based access control (ReBAC) as a service for healthcare organisations. Define who can access what, down to individual patient records and clinical workflows.
Relationship-Based Access Control
Model complex healthcare access patterns using relationships β ward membership, care teams, organisation hierarchy β powered by Google Zanzibar architecture.
Relationship Tuples
Define who can access what using subjectβrelationβresource facts. Supports direct, indirect, and inherited permissions.
Schema-Driven Policies
Declarative SpiceDB schema language. Dry-run validation, breaking change detection, and version history.
Sub-5ms Evaluations
Permission checks at P95 < 5ms. Built on SpiceDB with CockroachDB backing for consistency and speed.
FGA Playground
Test authorization queries interactively against live data. Expand relationship trees to debug access paths.
LookupResources & LookupSubjects
Find all resources a user can access, or all users who can access a resource. Cursor-paginated.
Namespace Isolation
Each sub-tenant gets a unique namespace prefix. Cross-tenant access is impossible by construction.
Standards-Based Policy Evaluation
Industry-standard AuthZEN evaluation endpoint with SARC model, AI agent governance, AARP break-glass obligations, and declarative payload mapping.
AuthZEN Evaluation
POST /authzen/v1/evaluation β standard SARC (Subject, Action, Resource, Context) model with boolean decisions.
AI Agent Registry
Register and govern AI agents with scope bounds. 12 agent types from CDS to imaging AI. Gateway pre-filter at sub-ms.
Break-Glass (AARP)
Emergency access with AARP obligations. Configurable eligibility, witness requirements, TTL, and auto-expiry.
COAZ Payload Mapping
Declarative JSONPath mappings translate FHIR, HL7, and custom payloads into SARC format. No code changes needed.
Auto-Rollback
Monitors activated mappings for error rates. >5% failures in 1 minute triggers automatic revert to previous version.
Evaluation Metrics
Per-stage latency tracking (JWT, mapping, SpiceDB, audit). Prometheus-compatible. k6 load tested at 1000 req/s.
Identity Lifecycle Automation
Connect your identity provider to automatically sync users and groups. Support for 18+ enterprise IdPs out of the box.
Automatic User Sync
Users and groups provisioned from your IdP appear instantly in AuthHub. Deprovisioning removes access in real-time.
18+ Identity Providers
Entra ID, Okta, PingFederate, PingOne, Google Workspace, OneLogin, SailPoint, Saviynt, ForgeRock, CyberArk, and more.
Group Membership Sync
IdP groups map directly to relationship tuples. Add a user to a group in Entra ID β they gain access in AuthHub.
Sync Dashboard
Real-time stats: users synced, groups mapped, last sync time, error rates. Paginated user/group browsers.
Bearer Token Auth
Each SCIM connection gets unique credentials. Rotate tokens without disrupting other connections.
Server-Side Filtering
Full SCIM filter support (eq, co, sw). Pagination with startIndex/count for directories with 10,000+ users.
How it works
Three steps to production-ready authorization for your healthcare system.
Register
Authenticate with your identity provider, validate your organisation code, and receive API credentials in minutes.
Define Your Schema
Model your access patterns using SpiceDB's intuitive schema language. Preview changes with dry-run diffs.
Integrate
Call our API from your application to check permissions. One HTTP request, sub-millisecond response.
Built for healthcare compliance & clinical safety
DSPT Compliant
7-year immutable audit trail
CIS2 Authenticated
National identity federation
DCB0129 Ready
Clinical safety governance
UK Data Residency
All data stays in the UK
GDPR Article 17
Right to erasure with data locks
Fail-Closed Security
503 on outage, never default-allow
HSM Key Storage
FIPS 140-2 Level 3 (add-on)
OpenID AuthZEN 1.0
Standards-compliant evaluation
Ready to secure your healthcare application?
Register in minutes. No procurement process required for the standard tier.
Get Started Free