Now with scoped identities for AI agentsRead more

One identity, guarded at the front door.

The sovereign identity layer for healthcare. Authenticate humans, govern organisations, and put every AI agent on a short leash - verified, scoped and fully audited.

SOC 2 · HIPAA · ISO 27001 · GDPR · IRAP

app.orthid.com

OrthID

Members

Agents

Audit log

Regions

Members

2,400 PEOPLE · AU-SYD-1

Invite

Dr. Amelia Hartford

a.hartford@stmary.health

Verified

Dr. Nathaniel Cole

n.cole@stmary.health

Clinician

Imaging Triage Agent

agt_7K2f91x · on behalf of A. Hartford

TTL 14:58

Passkey verified

FIDO2 · 38ms

Action attested

aud_5b2…e0 · sealed

The identity layer for the 3verest family

ForgeBifrostHeimdall3verest

Why now

Humans log in. Companies delegate. Agents act.

Authentication was built for one actor - a person at a keyboard. Now organisations delegate access to each other, and AI agents take real actions in real systems. They are identities too. OrthID governs all three on one trail.

Human

The people inside your products - clinicians and staff - sign in without passwords to phish.

PasskeysMFASSO

Organisation

Tenants that delegate access to one another - with their own admins, roles and boundaries.

OrgsDelegated adminRoles

AI agent

Non-human workloads that take real actions - borrowing access per task, on behalf of a real human.

Scoped credentialsOn-behalf-ofExpiry

Sovereign by design

Self-hosted. In your region. Under your keys.

Run OrthID in your own cloud or ours, in the region you choose. Customer-managed keys. A tamper-evident, hash-chained audit. No identity data crosses a boundary you didn’t draw.

Self-hosted / open core

Data residency by region

BYOK (Vault / KMS / HSM)

Tamper-evident audit

No vendor lock-in

AI agents

Give every agent an identity, a leash, and a receipt.

Agents don’t get standing access. They borrow it - per task, scoped down, on behalf of a real user, and it expires. Every call carries provable provenance. One risk engine. One audit trail. Humans, organisations, and agents.

Per-task, least-privilege scopes

On-behalf-of via OAuth token exchange (RFC 8693)

Expiry & revocation - no standing access

issue-agent.ts

import { orthid } from "@orthid/sdk";

const agent = await orthid.agents.issue({
  onBehalfOf: "usr_4Qd2",
  scope: ["imaging:read"],
  ttl: 900,            // 15 minutes
  region: "au-syd-1",
});

// → agt_7K2f91x · act-claim sealed to the audit trail

Drop-in components

Sign-in, profiles, orgs, and consoles - drop them in.

Prebuilt components for login, user profile, organisation management, and both admin planes. Match your brand with tokens, ship on your own domain.

<SignIn/>Hosted or embedded login

<UserButton/>Profile, devices, sign-out

<OrgSwitcher/>Switch & manage orgs

Operator ConsoleRun the whole platform

Tenant ConsoleOrg-scoped, per customer

acme.orthid.app/members

Tenant Console

Two planes

One platform, two consoles.

Run the platform from the Operator Console - every tenant, every identity, every policy. Hand each customer a clean, org-scoped Tenant Console of their own. The data plane enforces; the UI reflects.

Operator Console

Run the fleet - every tenant, every identity, every policy.

Provision & suspend tenants

Global policy & risk rules

Impersonate-with-audit

Tenant Console

Hand each customer a clean, org-scoped console of their own.

Members, roles & invites

Org-scoped, delegated admin

Their brand, their domain

Security & compliance

Trust, proven - not promised.

Concrete controls a CISO can verify, not adjectives. The platform fails closed, isolates every tenant, and seals every change.

Tamper-evident audit

One immutable, hash-chained entry per change - exportable to your SIEM.

RLS tenant isolation

Postgres row-level security and scoped tokens keep tenants provably apart.

Least-privilege agents

Non-human identities get per-task scopes that expire - never standing access.

SOC 2HIPAAISO 27001GDPRIRAP

SOC 2 · HIPAA · ISO 27001 · GDPR · IRAP - verify each certification before relying on it.

Read the Trust Center

“OrthID gave us one identity trail for clinicians, partner organisations and the AI tools on the ward - sovereign, in our region, and audited end to end.”

Verified OrthID customerAnonymised and kept private for obvious reasons

Own your identity layer.

Self-hosted or managed - in your region, under your keys. Humans, organisations and agents on one trail.

Book a demo Talk to us