What is Obexal
A sovereign European identity platform for your workforce, your customers and your AI agents, built on open standards.
Obexal is an identity provider (IdP) designed and hosted in the European Union. It authenticates your workforce and your customers, connects your applications through open standards, and gives every AI agent a governed, verifiable identity.
One platform, three kinds of identities
Everything in Obexal lives in one directory and one audit trail:
- Workforce (IAM): single sign-on, multi-factor authentication, groups, provisioning and conditional access for the people in your organization.
- Customers (CIAM): a white-label, passwordless sign-in experience for the users of your product, on your own domain.
- AI agents: each agent is an OAuth 2.1 client of its own, with a human owner, an expiry date, capped permissions and a kill switch.
Built on open standards
Obexal implements the modern identity stack end to end. There is no proprietary SDK to embed: any standard library works.
| Standard | Role |
|---|---|
| OpenID Connect / OAuth 2.1 | Sign-in and API authorization, with PKCE, PAR, DPoP and private_key_jwt |
| SAML 2.0 | Inbound (Obexal as SP) and outbound (Obexal as IdP) enterprise SSO |
| SCIM 2.0 | User provisioning, inbound and outbound |
| WebAuthn | Passkeys, as a phishing-resistant primary factor |
| Token Exchange (RFC 8693) | Attributable delegation for AI agents |
How Obexal is organized
Your organization (a tenant) is strictly isolated from every other tenant: users, groups, applications, policies, branding and audit events never cross that boundary. Inside your organization you register applications (OIDC or SAML), define groups that grant access to them, and set policies (MFA, conditional access, password rules) that apply at sign-in.
The OpenID Connect discovery document is the starting point for any integration:
curl https://accounts.obexal.com/.well-known/openid-configurationEvery code sample in this documentation uses accounts.obexal.com, the default sign-in domain. If your organization uses a custom domain, replace it accordingly.
Where your data lives
Obexal is hosted in France, in a datacenter in the Paris region, with data residency in the European Union. There is no non-EU dependency in the request path: password breach checks, GeoIP resolution and email delivery are all handled inside the platform. See Data residency and sovereignty.
Next steps
- Create your organization: a self-service sign-up, verified by email.
- Connect your first app: OIDC with PKCE, in a few minutes.
- Invite your team: the directory works on an invitation model.