Skip to content
Sigil Developers

Multi-tenancy

Each company in Sigil is one organization. Every domain row carries an organization_id and the data layer filters on it at the repository level — not in handlers, not in middleware. The same applies to the iframe’s postMessage handler (origins are checked against the per-org allowlist) and to KMS (the AAD binds every encrypt/decrypt call to the org).

Identity domains

Sigil keeps two identity universes that never mix:

  • Portal users: developers managing the integration. Owned by Ory Kratos (passwordless email-OTP). Cookie session, scoped to platform.sigilkeys.com.
  • End-user identities: the people whose wallets you embed. Created lazily on first wallet auth. Authenticated either by Sigil-hosted email-OTP (we issue the JWT) or by your OIDC provider (we validate against your JWKS via the autodiscovery URL).

A portal user is not an end user, and vice versa. Logging in to the portal does nothing for wallet flows, and signing into a wallet does nothing for the portal.

Origins

Each organization declares its allowed origins in the portal. The iframe verifies event.origin on every received postMessage, drops anything not in the list, and never replies to anyone other than the event.source that issued the request. There is no wildcard.

Keys

The publishable key (pk_live_…) identifies the org from the iframe. The secret key (sk_live_…) identifies the org from the back-office S2S endpoints. Keys are scoped to one org and revocable independently.