Your customers' identity experience, in your brand.
Obexal is not a separate customer identity product bolted on the side. It is the same sovereign European platform, turned toward the people who use your service: a branded login, passwordless sign-in, self-service onboarding and a My Apps portal, all under your name and hosted in the EU.
At a glance
| Sign-in | WebAuthn passkeys, magic link (15 min), email code (10 min); never SMS |
|---|---|
| Social | Google, Microsoft and generic OIDC, per tenant; no external token retained |
| Brand | Per-tenant color and self-hosted logo, live preview |
| Domain | Custom, verified by DNS TXT, automatic TLS certificate |
| Onboarding | Invitation is the activation; self-service organization creation verified by OTP |
| Portal | My Apps, with the authorized AI agents, revocable |
| Data | Minimal profile, GDPR-governed export and deletion |
| Hosting | France, datacenter in the Paris region; EU data residency |
A login in your brand
Your customers should never feel they left your product at the moment of signing in. Each tenant styles the login screen with its brand color and a self-hosted logo: you upload one file per tenant, the theme is applied through CSS variables, and a live preview in the admin console shows the result before you publish.
You can also point your own domain at Obexal. Ownership is verified with a DNS TXT record, and a TLS certificate is then issued automatically, but only once that proof is in place. Obexal resolves the tenant from the Host header, so id.yourbrand.com is a real front door under your name, not a redirect to a shared page. Branding, custom domains and the portal are all configured tenant by tenant, and they run on the same security core as the rest of the platform.
Passwordless, without the friction
Fewer passwords to remember means fewer passwords to forget and fewer passwords to phish. Obexal offers several passwordless methods, each opt-in on a per-tenant basis.
WebAuthnpasskey: a strong primary factor, phishing-resistant by design; the customer signs in with no username and no password, using the device biometric or a security key, and manages their own passkeys from self-service.- Magic link: a single-use link valid for 15 minutes, sent by email, with tokens stored hashed and an anti-enumeration flow that never reveals whether an address exists.
- Email one-time code: a single-use code valid for 10 minutes, suited to customers who prefer a code to a link.
- Social login: still available, configured per tenant; Google, Microsoft and generic OIDC, including a sovereign IdP, with per-tenant connections overriding the global ones, and no external token ever persisted: Obexal keeps only the identity link, nothing more.
There is no SMS anywhere: email codes only, a deliberate sovereignty choice that removes SIM-swap and SMS interception. Passwordless stays off until a tenant enables it (branding.allowPasswordless), and you decide exactly which methods your customers see. Failed attempts and lockouts feed the same conditional access engine as the rest of the platform, so the sign-in your customers experience is backed by the same network, time-of-day, country and adaptive-risk rules that protect your workforce.
Onboarding you control end to end
Two honest paths coexist, both audited and both able to resolve the organization for the user. The first is self-service organization creation: a public page turns a prospect into an owner, who creates the organization, verifies it with an OTP sent by email, and is logged in automatically, with no sales call needed to get started.
The second is the invitation model, suited to closed products. The invitation is the activation: the profile arrives pre-filled, and accepting it creates the account; self-signup stays off by default. In both cases, customers do not have to remember a tenant name in the URL: the organization is resolved from the email address or domain, and a returning user simply enters their email. The same anti-enumeration rules apply throughout, so an invitation flow never leaks who is or is not already a customer.
The My Apps portal
Once signed in, your customer lands on a white-label My Apps portal, served from /v1/me/apps, in the spirit of the Okta end-user dashboard. They see the applications assigned to them and, just as importantly, the AI agents acting on their behalf, each one revocable in a click. Nothing appears that was not explicitly granted to them, and the branding and domain stay those of the login screen.
That transparency about agents is not a detail: it puts control of the delegations granted on their behalf in the hands of the end user, not just the administrator. To see how those agent identities are issued, scoped, expired and revoked, read about AI agent identity.
Privacy by design
Collect little, keep less: data minimization is a default, not an add-on. When a customer signs in with Google, Microsoft or OIDC, Obexal keeps only the identity link, never the external access or refresh token, so there is nothing to leak and nothing to over-collect.
The profile itself stays minimal: first name, last name, display name, job title, department and language, released as OIDC claims. No date of birth is collected, by choice, to stay aligned with GDPR data minimization. Profile fields are editable by an admin or through SCIM, and read-only for the end user, while the controls that truly concern the person (their passkeys, revoking the agents acting on their behalf) are in their own hands.
Data subject requests are handled in practice: access and erasure are served through the admin console and SCIM deprovisioning, with the process set out on the privacy page and in the DPA. Every sensitive step is recorded in an immutable audit log.
How this differs from IAM
IAM covers your workforce, employees and contractors; CIAM covers your customers and end users. It is the same platform and the same security core, applied to a different audience and a different experience: branding, onboarding and a My Apps portal built for people outside your organization. If your need is about your own teams instead, see workforce IAM.
Honestly, Obexal is not a separately packaged CIAM suite. The building blocks (branding, custom domains, passwordless, passkeys, social login, onboarding, the portal) are real and shipping, but they are the same platform primitives turned toward your customers rather than a distinct product line. We would rather tell you that than oversell a suite.
Sovereign, and verifiable
Obexal is hosted in France, in a datacenter in the Paris region, with EU data residency. No non-EU dependency sits in the request path, there is no external CDN, and fonts are self-hosted. Traffic is encrypted with TLS 1.2 at minimum, 1.3 preferred, and HSTS. No social token is persisted and no date of birth is collected.
On certifications, to be precise: not certified to date; ISO 27001:2022 mapping documented; SecNumCloud roadmap under way. The detail is on the security page and the sovereignty page.
Frequently asked questions
Is CIAM a separate product?
No. It is the same sovereign platform, turned toward the people who use your service: same directory model, same security core, same audit trail. See IAM for your workforce.
Can sign-in live on our own domain?
Yes. Point your domain at Obexal, prove ownership with a DNS TXT record, and a TLS certificate is issued automatically. Your brand, your domain.
Is passwordless mandatory for our customers?
No. Every method is opt-in per organisation: you choose exactly which sign-in options your customers see, and you can change that at any time.
How does this respect GDPR for end users?
Data minimisation by design: no social token is ever stored, the profile is minimal, and hosting stays in France with EU data residency. Privacy policy.
Continue: IAM, your workforce identity · AI agents · Sovereignty and compliance