Introduction to GL IAM
Early Development
GL IAM is currently in active development. APIs may change between versions, and some providers are not yet fully implemented.
IAM stands for Identity and Access Management—handling who users are (authentication) and what they can do (authorization).
GL IAM is a Python SDK that provides a unified interface for IAM across GDP Labs products. You write application code once against the IAMGateway, then swap providers through configuration—no code changes required.
The GL IAM SDK includes:
IAMGateway - Central orchestrator for all IAM operations
Providers - Stack Auth, Keycloak, PostgreSQL implementations
Standard Roles - Cross-provider role hierarchy
Multi-Tenancy - Organization-scoped isolation enforced by default
API Key Authentication - Service-to-service authentication
Third-Party Integrations - External service credential management (in development)
Single Interface, Multiple Implementations
You write application code once against the IAMGateway, then swap providers through configuration — no code changes required.
StackAuth
Open-source Auth0/Clerk alternative with OAuth, passkeys, RBAC
Keycloak
Enterprise IAM with SSO, SAML, identity federation
PostgreSQL
Direct database user storage
Standard Roles
GL IAM defines three standard roles that work consistently across all providers:
PLATFORM_ADMIN
Highest
Can manage all organizations
ORG_ADMIN
Middle
Can manage users within an organization
ORG_MEMBER
Base
Basic organization access
Higher roles automatically include lower role permissions. For example, checking for ORG_MEMBER will pass for users with ORG_ADMIN or PLATFORM_ADMIN.
Multi-Tenancy
GL IAM enforces organization-scoped isolation by default. Every operation requires an organization_id parameter.
Organization
Isolated tenant (company, team, workspace)
organization_id
Required parameter for all operations
Data isolation
Users, roles, permissions are per-organization
Single-tenant apps: Use a constant organization ID like "default".
Service Authentication
For service-to-service communication, GL IAM supports API key authentication as an alternative to user sessions.
User Authentication
Human users logging into web/mobile apps
Service Authentication
Backend services, CI/CD pipelines, automation
API keys provide direct access without the session lifecycle (login → refresh → logout) required for user authentication.
Last updated
Was this helpful?