The Complete B2B Identity and Workspace Engine.
Stop rebuilding user tables and complex team invitation flows. Drop in a production-ready Go microservice that handles multi-tenancy, device sessions, granular RBAC, and dynamic metadata—accessible via REST, gRPC, and native MCP server. Integrated with the Ory stack and built for both human developers and AI agents.
The Problem: "Just Add Users" Never Stays Simple
Every B2B SaaS starts with a simple users table. Six months later, you are drowning in complex edge cases: Can a user belong to multiple workspaces? How do we handle bulk email invitations? What if an enterprise customer demands Zitadel instead of Ory Keto? Building a secure, multi-tenant identity architecture from scratch is a massive drain on engineering resources.
The Solution: A Ready-Made, Enterprise Identity Layer
The Launch Rail Identity Service provides a clean, bounded context for all user and company management. Built in Go and exposed via ConnectRPC, it delivers strictly typed REST and gRPC endpoints to handle everything from user preferences to workspace routing.
Core Capabilities Out-of-the-Box
Skip building table structures and endpoints. Focus on your product.
True Multi-Tenancy (Workspaces)
Users can seamlessly belong to multiple Companies (Tenants) and switch contexts. The API natively handles retrieving the user's active workspaces.
Advanced Team Routing
Inside a company, organize members into Teams to drive bulk authorization rules, segment access, and manage department-level settings.
Frictionless Onboarding
Stop writing custom invitation scripts. Our MembershipService handles single invites, bulk batch invites (up to 50 at once), invitation revoking, and expiration TTLs.
Dynamic Metadata
Need to store a custom CRM ID or onboarding flags? Use UpsertUserMeta to attach validated JSON metadata directly to users or companies without touching your schema.
Architectural Superpowers: Agnostic & Pluggable
We engineered this service to integrate cleanly into your existing infrastructure, avoiding restrictive vendor lock-in.
Pluggable Authorization (RBAC)
Map predefined roles (Owner, Admin, Manager, Member, Guest) to your access control lists. Use env vars to smoothly swap between Ory Keto, Zitadel, or a direct PostgreSQL mirror.
Zero-Code Policy Overrides
Need to tweak exactly what a 'Manager' can do? Use the AUTH_POLICY_OVERRIDES JSON environment variable to redefine role-to-permission mappings dynamically on startup.
Agnostic Event Broadcasting
Publishes domain events (like 'User Created') to the rest of your microservices. Swap between NATS JetStream, RabbitMQ, SQS, or Pub/Sub with a single configuration flag.
Native Device Management
Track active sessions and manage Push Notifications. Register FCM tokens per device (iOS, Android, Web) to easily orchestrate targeted cross-platform alerts.
Developer Experience: Modify with Absolute Confidence
When you buy source code, your biggest fear is breaking it. We built the Identity Service to be customized safely.
Rigorous Test Coverage
Comprehensive unit and integration test suites included. When you fork the logic, run `make test` to verify you haven't broken the core tenant isolation or authorization flows.
Pre-Instrumented Observability
Ships with native OpenTelemetry tracing and structured slog logging. Track an invitation request from the gRPC gateway all the way down to the PostgreSQL query.
Interactive CLI Tool
Manage your local and staging environments effortlessly. The included binary allows you to create companies, provision teams, and manage user sessions directly from your terminal.
Embedded Documentation
Open API / Swagger docs are generated directly from the protobuf definitions and embedded into the binary. Your frontend team will always have up-to-date specs.
AI Agents Talk to Identity Natively
Every Launch Rail service ships with a built-in MCP server. Your AI agents can discover tools, read resources, and execute actions—no wrappers, no custom integrations.
MCP Tools
Actions agents can execute
create_userRegister a new user with email, name, and metadata
invite_memberSend a workspace invitation with role assignment
assign_roleUpdate a member's RBAC role within a company
switch_workspaceChange a user's active tenant context
MCP Resources
Data agents can read
identity://users/{id}Full user profile with metadata and active sessions
identity://companies/{id}/membersAll members of a workspace with roles and status
identity://users/{id}/workspacesList of all workspaces a user belongs to
In Practice
What this looks like
“Invite john@acme.com to the Engineering workspace as a Manager and notify them via Slack”
Calls invite_member tool → creates invitation with Manager role → triggers notification event via NATS → confirms invitation sent with 7-day TTL.
Real-World Value: Identity in Action
See how teams across industries use Identity to ship faster, reduce costs, and deliver enterprise-grade experiences from day one.
Multi-Clinic Patient Portals
A patient belongs to multiple clinic workspaces. Identity handles cross-workspace sessions, per-clinic RBAC (Doctor vs Receptionist vs Patient), and HIPAA-compliant metadata storage.
School District Management
District admins manage thousands of teachers across schools. Bulk invitations, nested team structures (District → School → Department), and dynamic role assignments make this trivial.
Multi-Entity Corporate Banking
A CFO accesses multiple subsidiary accounts. Identity provides secure workspace switching, device session tracking, and pluggable authorization to meet SOC2 and PCI-DSS requirements.
Seller & Buyer Dual Roles
Users can be both a buyer and a seller on the same platform. Identity handles dual-context workspaces, team invitations for seller storefronts, and custom metadata per role.
Why Buy the License? (The ROI)
Building a secure identity system with multi-tenancy, cross-workspace routing, pluggable OIDC integration, and comprehensive test coverage takes a dedicated platform team over 4 months.
Buy the Launch Rail Identity module today and get the complete, production-ready Go codebase.
K8s Ready
Deploy to Kubernetes or Cloud Run with provided configs.
Total Compliance
Own your user data entirely to satisfy strict SOC2/GDPR limits.
Native Ecosystem
Seamlessly connect it to the rest of the Launch Rail modules.