Your Product Needs a Source of Truth. This is Enterprise Identity.
Stop rebuilding user tables and complex team invitation flows. Drop in a production-ready Go microservice that handles multi-tenancy, device sessions, granular RBAC, and dynamic metadata—accessible via REST, gRPC, and native MCP server. Integrated with the Ory stack and built for both human developers and AI agents.
The Problem: "Just Add Users" Never Stays Simple
Every B2B SaaS starts with a simple users table. Six months later, you are drowning in complex edge cases: Can a user belong to multiple workspaces? How do we handle bulk email invitations? What if an enterprise customer demands Zitadel instead of Ory Keto? Building a secure, multi-tenant identity architecture from scratch is a massive drain on engineering resources.
The Solution: A Ready-Made, Enterprise Identity Layer
The Launch Rail Identity Service provides a clean, bounded context for all user and company management. Built in Go and exposed via ConnectRPC, it delivers strictly typed REST and gRPC endpoints to handle everything from user preferences to workspace routing.
Core Capabilities Out-of-the-Box
Skip building table structures and endpoints. Focus on your product.
True Multi-Tenancy (Workspaces)
Users can seamlessly belong to multiple Companies (Tenants) and switch contexts. The API natively handles retrieving the user's active workspaces.
Advanced Team Routing
Inside a company, organize members into Teams to drive bulk authorization rules, segment access, and manage department-level settings.
Frictionless Onboarding
Stop writing custom invitation scripts. Our MembershipService handles single invites, bulk batch invites (up to 50 at once), invitation revoking, and expiration TTLs.
Dynamic Metadata
Need to store a custom CRM ID or onboarding flags? Use UpsertUserMeta to attach validated JSON metadata directly to users or companies without touching your schema.
Built for High Throughput
A clean, stateless architecture that scales horizontally. Decoupled inputs and outputs ensure zero-downtime operations.
REST / gRPC
ConnectRPC Gateway
MCP Server
AI Agent Interface
Service Logic
Domain Engine
PostgreSQL
ACID Compliant Storage
NATS / CloudEvents
Async Broadcasting
Architectural Superpowers: Agnostic & Pluggable
We engineered this service to integrate cleanly into your existing infrastructure, avoiding restrictive vendor lock-in.
Pluggable Authorization (RBAC)
Map predefined roles (Owner, Admin, Manager, Member, Guest) to your access control lists. Use env vars to smoothly swap between Ory Keto, Zitadel, or a direct PostgreSQL mirror.
Zero-Code Policy Overrides
Need to tweak exactly what a 'Manager' can do? Use the AUTH_POLICY_OVERRIDES JSON environment variable to redefine role-to-permission mappings dynamically on startup.
Agnostic Event Broadcasting
Publishes domain events (like 'User Created') to the rest of your microservices. Swap between NATS JetStream, RabbitMQ, SQS, or Pub/Sub with a single configuration flag.
Native Device Management
Track active sessions and manage Push Notifications. Register FCM tokens per device (iOS, Android, Web) to easily orchestrate targeted cross-platform alerts.
Implementation Examples
Developer-first by design. Access full-featured gRPC, REST, and MCP endpoints out of the box. Our services use ConnectRPC for lightweight, production-grade communication.
Developer Experience: Modify with Absolute Confidence
When you buy source code, your biggest fear is breaking it. We built the Identity Service to be customized safely.
Rigorous Test Coverage
Comprehensive unit and integration test suites included. When you fork the logic, run `make test` to verify you haven't broken the core tenant isolation or authorization flows.
Pre-Instrumented Observability
Ships with native OpenTelemetry tracing and structured slog logging. Track an invitation request from the gRPC gateway all the way down to the PostgreSQL query.
Interactive CLI Tool
Manage your local and staging environments effortlessly. The included binary allows you to create companies, provision teams, and manage user sessions directly from your terminal.
Embedded Documentation
Open API / Swagger docs are generated directly from the protobuf definitions and embedded into the binary. Your frontend team will always have up-to-date specs.
Manage your infrastructure from the Terminal.
One-command provisioning
Create users, tenants, and roles without touching the UI.
Secure Key Management
Easily rotate API keys and manage workspace secrets.
Environment Sync
Synchronize permissions across staging and production.
AI Agents Talk to Identity Natively
Every Launch Rail service ships with a built-in MCP server. Your AI agents can discover tools, read resources, and execute actions—no wrappers, no custom integrations.
MCP Tools
Actions agents can execute
create_userRegister a new user with email, name, and metadata
invite_memberSend a workspace invitation with role assignment
assign_roleUpdate a member's RBAC role within a company
switch_workspaceChange a user's active tenant context
MCP Resources
Data agents can read
identity://users/{id}Full user profile with metadata and active sessions
identity://companies/{id}/membersAll members of a workspace with roles and status
identity://users/{id}/workspacesList of all workspaces a user belongs to
In Practice
What this looks like
“Invite john@acme.com to the Engineering workspace as a Manager and notify them via Slack”
Calls invite_member tool → creates invitation with Manager role → triggers notification event via NATS → confirms invitation sent with 7-day TTL.
Build vs. Buy Launch Rail
Why spend 4 months building table structures and plumbing when you can start shipping features tomorrow?
Build it Yourself
The "Not Invented Here" approach
Diving into low-level plumbing means your engineers aren't building your core product features. You risk security vulnerabilities and maintenance debt.
Buy Launch Rail
The "Speed of Light" approach
Get the source code, deploy it in minutes, and focus on what makes your business unique. Zero technical debt, enterprise-ready from day one.
| Feature Comparison | Self-Built | Launch Rail |
|---|---|---|
| Multi-tenant Isolation | ||
| ConnectRPC (gRPC + REST) | ||
| Native MCP Server Support | ||
| OTel Tracing & Metrics | ||
| Built-in SDKs (Go, TS) | ||
| Production-ready CLI tool |
Real-World Value: Identity in Action
See how teams across industries use Identity to ship faster, reduce costs, and deliver enterprise-grade experiences from day one.
Multi-Clinic Patient Portals
A patient belongs to multiple clinic workspaces. Identity handles cross-workspace sessions, per-clinic RBAC (Doctor vs Receptionist vs Patient), and HIPAA-compliant metadata storage.
School District Management
District admins manage thousands of teachers across schools. Bulk invitations, nested team structures (District → School → Department), and dynamic role assignments make this trivial.
Multi-Entity Corporate Banking
A CFO accesses multiple subsidiary accounts. Identity provides secure workspace switching, device session tracking, and pluggable authorization to meet SOC2 and PCI-DSS requirements.
Seller & Buyer Dual Roles
Users can be both a buyer and a seller on the same platform. Identity handles dual-context workspaces, team invitations for seller storefronts, and custom metadata per role.
Why Buy the License? (The ROI)
Building a secure identity system with multi-tenancy, cross-workspace routing, pluggable OIDC integration, and comprehensive test coverage takes a dedicated platform team over 4 months.
Buy the Launch Rail Identity module today and get the complete, production-ready Go codebase.
K8s Ready
Deploy to Kubernetes or Cloud Run with provided configs.
Total Compliance
Own your user data entirely to satisfy strict SOC2/GDPR limits.
Native Ecosystem
Seamlessly connect it to the rest of the Launch Rail modules.
Ready to secure your SaaS identity?
Common Questions & Answers
Everything you need to know about integrating and hosting this Launch Rail service.