Integrate an app
Create the exact Plystra records needed to protect a business endpoint, then call /api/v1/authz/check from your backend.
Plystra Core
Self-hosted identity and authorization core for applications that need account-identity separation, scoped resource permissions, and append-only audit logs.
Start Here
Section titled “Start Here”If you are adding Plystra to an existing backend, start with the integration guide. It gives you the concrete object model, API calls, and backend guard code for the full path:
register resource type -> create Space and identities -> grant role -> register resource -> call authz/checkRun locally first
Start Core, apply migrations, run the Finance demo, and verify the v1.0 release checks.
Check the API surface
Review response envelopes, authentication layers, protected routes, and endpoint groups.
What Plystra v1.0 Covers
Section titled “What Plystra v1.0 Covers”Explainable identity
Every authorization decision explains the User -> UserMember -> Member -> Space path that acted.
Scoped permissions
Permissions are evaluated against self, group, group_tree, and space scope rules. global is reserved and disabled in v1.0.
Resource Registry
Resource types, actions, mappings, risk levels, and audit defaults are stored as governed metadata.
Append-only audit
Allow and deny decisions write trace snapshots that remain readable after metadata changes.
Self-hosted Core
PostgreSQL, versioned migrations, Ent schema checks, Docker Compose, and production safety guards are part of the Core.
Protected API surface
Non-public Core APIs require the bootstrap admin token. Data Console and metrics are disabled by default.