Identity overview
The Nyuchi identity layer is built on WorkOS, fronted by
identity.nyuchi.com. Every Nyuchi product, every Mzizi mini-app, and every
mzizi-tools API call ultimately authenticates against the same JWT shape.
What needs to land here
Section titled “What needs to land here”- WorkOS setup — project layout, environments, the directory sync model.
identity.nyuchi.com— the hosted sign-in surface, allowed redirect origins, branded login, and the/.well-known/endpoints we expose.- Organisations — the org model, org-scoped roles, how orgs map to billing and to Console plans.
- SSO — connecting customer IdPs (SAML / OIDC), domain claiming, the JIT-provisioning rules.
- JWT shape — the canonical Nyuchi JWT: claims, audience, issuer, short-lived access tokens vs. refresh, and the verification pattern every Nyuchi service implements.
- Service-to-service — machine identities, scoped tokens, and how background workers authenticate.
Cross-links (once content lands)
Section titled “Cross-links (once content lands)”nyuchi/mukoko-platform— the Console implementation that consumes these tokens.nyuchi/mzizi-tools—mzizi-sdkhelpers for verifying Nyuchi JWTs.bundu-labs/bundu-docs— the Mzizi authentication pattern, for client-side UX.