ORIS Identity: One JWT to Rule Them All

Authentication is the foundation of everything in ORIS. Every product, every API call, every AI request flows through a single JWT issued by auth.meetoris.com.

The JWT carries: sub (stable user ID), tenant_id and tenant_slug (org partition), products[] (licensed product codes), roles{} (per-product role map like {"DE":"ngo_admin","KAP":"viewer"}), ai_tier (starter/pro/enterprise for model routing), data_residency (IN/EU/US for provider selection), and cross_vertical_access with cross_vertical_scopes for three-gate authorization.

Security non-negotiables: RS256 asymmetric signing (not HS256), httpOnly secure cookies only (never localStorage), 1-hour TTL with 7-day refresh tokens, jti-based revocation via Redis with sub-millisecond check, and ecosystem-wide logout where revoking from any product kills all sessions.

Product integration takes two lines of code. Import @oris/auth-client, call validateOrisJwt() on every request. The JWT carries all context. No local users table, no local sessions, no local auth UI needed.