Identity for the K8Box family · early access
One identity layer across every product in your SaaS family.
Atrium wraps Zitadel and adds the three things Zitadel deliberately leaves to you: a multi-tenant Org → Tenant → User hierarchy, a cross-product Cedar PDP, and 60-second RFC-8693 token exchange between products.
What Atrium adds on top of Zitadel
The three things Zitadel deliberately leaves to you.
OIDC, SAML, OAuth 2.0, FIDO2/WebAuthn — Zitadel solves all of these. Atrium picks up where Zitadel stops: the layers a multi-product SaaS family actually needs.
Multi-tenant by design
Organisation → Tenant → User. Atrium’s Postgres is the system of record for organisations; Zitadel handles the protocol surface and identity storage at the tenant boundary.
Cross-product authorization
One Cedar PDP answers (subject, action, resource) queries from every product’s PEP — allow/deny + reason, with an automatic audit log. One language, one decision point, one trail.
60-second token exchange
RFC 8693 audience-scoped tokens for cross-product UI fragments. The actor whitelist (which service account may delegate for which audience) lives in Atrium’s Postgres — one row per product pairing.
Why teams pick Atrium
Standards-based
OIDC, SAML 2.0, FIDO2/WebAuthn, OAuth 2.0 Token Exchange — nothing proprietary. Adopt mature open-source for solved problems; build only the layers above.
EU-sovereign
Zitadel is Swiss/German. Hetzner-hosted in Falkenstein and Nuremberg. No transatlantic data flow. Schrems II not your problem — GDPR-baseline by default.
Audit trail by default
Every PDP decision is sealed and retained for ten years — subject, action, resource, allow/deny, reason, timestamp. The token-exchange actor whitelist is versioned alongside.
ISO 27001:2022 certified
Audited information-security management system. Identity is the hardest trust boundary in any SaaS — ours sits inside a continuously-reviewed ISMS scope.