Qeet Docs
Platform

Platform

The operational surface — multi-tenancy, API keys & service principals, webhooks, tamper-evident audit, GDPR, secrets vault, rate limits, and observability.

Beyond authentication and authorization, Qeet ID is a full identity platform: the operational, security, and compliance machinery you'd otherwise assemble yourself.

Multi-tenancy

Tenant isolation, per-tenant config, branding & email templates, IP rules.

API keys & service principals

Scoped, expirable, hashed machine credentials.

Webhooks

HMAC-signed, transactional outbox, backoff retries, and a dead-letter queue.

Audit

Append-only, SHA-256 hash-chained, with a /verify integrity endpoint.

GDPR

Right-to-erasure (async purge), data export, and retention auto-purge.

Secrets vault

Per-tenant AES-256-GCM secrets via a pluggable KeyProvider.

Rate limits

Redis-backed distributed token bucket; CSRF + security headers.

Observability

Prometheus metrics, OpenTelemetry tracing, and health probes.

Secure by default

A production boot-gate refuses to start with insecure defaults — a weak JWT secret, CSRF disabled, dev-trust headers on, or missing allowed origins/keys. Misconfiguration fails loudly at startup instead of quietly in production.

Authorization

RBAC with a single-call /check, group-level roles, explainable authz (the grant-path trace), and ABAC policy.

Multi-tenancy

Tenant isolation by tenant_id, per-tenant configuration, branding & email templates, and IP allow/deny rules.