Authentication Infrastructure API (IAM API)
IAM API (Identity and Access Management API) is the foundational API that handles authentication and authorization for all systems built on NocodilySuite.
From user registration, login, and password management to organization-level access control, RBAC, and SSO,
every authentication-related feature can be consolidated into this single API.
By connecting MicroService APIs and Storage APIs to the IAM API,
you gain per-endpoint control over "which user can access which data."
The IAM API serves as the central hub for access control across the entire system.
Key Concepts
User
Standard end-user accounts authenticated with email address and password.
After login, users receive a token to securely access MicroService APIs and Storage APIs.
- Multiple users can be registered to a single IAM API
- Users can be assigned to an Organization
- Fine-grained access control is achieved through the combination of organization membership and Role
AdminUser
A privileged account for operating and managing the system.
Used for logging into the Admin WebUI and accessing administrator endpoints on other APIs.
- Creating and deleting admin users can only be done by admin users themselves
- The initial admin user is specified when creating the IAM API
- When Admin endpoints are enabled on a MicroService API or Admin WebUI, they become accessible with the admin token
Organization
A unit for grouping users. Can be defined freely to match business contexts such as departments, teams, or client companies.
- Organizations can be assigned an alias
- When adding a user to an organization, a Role within that organization is assigned
- Combined with MicroService APIs, enables access control such as "only managers of this organization can view this data"
Role / Permission
A Role is the "title" a user holds within an organization; a Permission is the "capability" associated with that role.
Define Roles and Permissions in the IAM API, then apply that control to MicroService API endpoints.
ServiceAccount
A dedicated account for programmatic access to APIs from backend systems or external services.
Authentication via keys ensures secure system-to-system integration without sharing user passwords.
- Can be used when calling APIs from AI Agents or external batch processes
- Key issuance and revocation is managed from the console
Supported Features
| Category | Features |
|---|---|
| User Management | Create/delete users, password reset, password change, email address change |
| Admin User Management | Create/delete admin users |
| Authentication | Email/password login, token issuance and revocation |
| Two-Factor Authentication | Enable/disable email-based 2FA |
| Organization Management | Create/delete Organizations, manage user membership |
| Permission Management | Create/delete Roles and Permissions, assign to users |
| Service Account | Create/delete service accounts, issue/revoke keys |
| SSO | External IdP integration via SAML 2.0 / OIDC |
Integration with Other APIs
The IAM API functions not only as a standalone service, but as the authentication foundation for other APIs.
- MicroService API — Specify the IAM API at build time to enable per-endpoint authentication and RBAC
- Storage API — Integrate with the IAM API to isolate storage areas per user or organization
- WebUI / Admin WebUI — Automatically provides IAM API login screens and account management screens
Interface
The IAM API is provided as a standard HTTP/1.x REST API.
The OpenAPI specification is available from the console and can be used for connecting to external systems.