Get started

Core concepts

OrthID rests on a small set of ideas. Learn these five and the rest of the docs read like common sense.

OrthID gives every thing that can act in your product a verifiable identity, then verifies, scopes and audits everything that identity does. There are three kinds of actor: a human, an organisation, and an AI agent. Each authenticates, holds a session, and carries tokens that prove who it is and what it may do.

Two cross-cutting ideas shape the rest. Every actor and every byte of their data lives inside a region you choose, and it stays there. And every action is gated by RBAC: roles and scopes that grant the least privilege needed for the job. An agent never gets more reach than the person it acts for.

Read the concept pages in order, or jump to what you need:

The three actors - who and what can hold an identity.
Sessions - the lifecycle of a signed-in actor.
Tokens & token exchange - JWTs and on-behalf-of delegation.
Regions & sovereignty - residency, keys and data boundaries.
RBAC & permissions - roles, scopes and least privilege.

The three actors

Humans, organisations and AI agents are all first-class principals.

Sessions

How OrthID tracks a signed-in actor across devices and requests.

Tokens & token exchange

JWT claims, access vs refresh tokens, and on-behalf-of delegation.

Regions & sovereignty

Data residency, region pinning and customer-managed keys.

RBAC & permissions

Roles, scopes and least privilege, for people and for agents.

The one-sentence model

An actor signs in, holds a session, and carries tokens that prove its identity and scopes, all inside a region you control. Everything else is detail.