Skip to content

Identity overview

The Nyuchi identity layer is built on WorkOS, fronted by identity.nyuchi.com. Every Nyuchi product, every Mzizi mini-app, and every mzizi-tools API call ultimately authenticates against the same JWT shape.

  • Hosted sign-in (AuthKit) — the sign-in doctrine: one WorkOS environment, per-app AuthKit applications, required MFA on the hosted page, the shared session that gives continuous sign-in across apps, the Next.js integration pattern, and the per-app configuration checklist.
  • WorkOS setup — project layout, environments, the directory sync model.
  • identity.nyuchi.com — allowed redirect origins, branded login, and the /.well-known/ endpoints we expose.
  • Organisations — the org model, org-scoped roles, how orgs map to billing and to Console plans.
  • SSO — connecting customer IdPs (SAML / OIDC), domain claiming, the JIT-provisioning rules.
  • JWT shape — the canonical Nyuchi JWT: claims, audience, issuer, short-lived access tokens vs. refresh, and the verification pattern every Nyuchi service implements.
  • Service-to-service — machine identities, scoped tokens, and how background workers authenticate.