Authentication & User Management for the Worktree Ecosystem
The Worktree Auth Service powers secure sign-in, token issuance (JWT), and centralized user, role, and group management across all Worktree products (HRMS, Workforce, LMS, Projects). It also integrates with Microsoft Entra ID and Google for enterprise SSO, supporting both Just-in-Time and scheduled syncs.
JWT • JWK
OAuth2 / OIDC
Multi-Tenant & Multi-Product
Audit & RequestId
99.9%
Uptime
42 ms
Median Auth
1,000+
Tenants
About the Auth Service
What it provides
- Issue, refresh, validate, and revoke JWT access/refresh tokens.
- Centralized user lifecycle: create, update, deactivate, and audit.
- Role/permission management with product scoping.
- Group management and external identity linking (Microsoft/Google).
- Consistent
ApiResponse<T>contract for all endpoints.
Developer experience
- OpenAPI documentation available at
/docs-ui/index.html. - Stable versioned routes under
/api/**. - Structured error model with
requestIdcorrelation. - Pagination, filtering, and idempotency where applicable.
Security Highlights
- Stateless JWT validation; optional JWKs endpoint for key rotation.
- Tenant-aware throttling and per-tenant IP allow/deny evaluation.
- Minimal PII in logs; audit trails with redaction where needed.
- HSTS, TLS-only endpoints, and CSRF-safe patterns for browsers.
- Integration with Microsoft Entra ID and Google for SSO.
- JIT provisioning or scheduled group/user sync.
- Fine-grained role/feature mapping per product.
- Defensive defaults and safe error surfaces.
Products Powered by Worktree Auth
HRMS
Employee lifecycle, payroll, and attendance.
Workforce Productivity
Agent-based activity insights and coaching.
LMS
Courses, assignments, and analytics.
Projects
Tasks, sprints, and collaboration.
Ready to integrate?
Open the API reference to get started with endpoints, models, and examples.