Obexal Docs

Docs/Get started/What is Obexal

What is Obexal

A sovereign European identity platform for your workforce, your customers and your AI agents, built on open standards.

Obexal is an identity provider (IdP) designed and hosted in the European Union. It authenticates your workforce and your customers, connects your applications through open standards, and gives every AI agent a governed, verifiable identity.

One platform, three kinds of identities

Everything in Obexal lives in one directory and one audit trail:

  • Workforce (IAM): single sign-on, multi-factor authentication, groups, provisioning and conditional access for the people in your organization.
  • Customers (CIAM): a white-label, passwordless sign-in experience for the users of your product, on your own domain.
  • AI agents: each agent is an OAuth 2.1 client of its own, with a human owner, an expiry date, capped permissions and a kill switch.

Built on open standards

Obexal implements the modern identity stack end to end. There is no proprietary SDK to embed: any standard library works.

StandardRole
OpenID Connect / OAuth 2.1Sign-in and API authorization, with PKCE, PAR, DPoP and private_key_jwt
SAML 2.0Inbound (Obexal as SP) and outbound (Obexal as IdP) enterprise SSO
SCIM 2.0User provisioning, inbound and outbound
WebAuthnPasskeys, as a phishing-resistant primary factor
Token Exchange (RFC 8693)Attributable delegation for AI agents

How Obexal is organized

Your organization (a tenant) is strictly isolated from every other tenant: users, groups, applications, policies, branding and audit events never cross that boundary. Inside your organization you register applications (OIDC or SAML), define groups that grant access to them, and set policies (MFA, conditional access, password rules) that apply at sign-in.

The OpenID Connect discovery document is the starting point for any integration:

curl https://accounts.obexal.com/.well-known/openid-configuration
Note

Every code sample in this documentation uses accounts.obexal.com, the default sign-in domain. If your organization uses a custom domain, replace it accordingly.

Where your data lives

Obexal is hosted in France, in a datacenter in the Paris region, with data residency in the European Union. There is no non-EU dependency in the request path: password breach checks, GeoIP resolution and email delivery are all handled inside the platform. See Data residency and sovereignty.

Next steps

  1. Create your organization: a self-service sign-up, verified by email.
  2. Connect your first app: OIDC with PKCE, in a few minutes.
  3. Invite your team: the directory works on an invitation model.