Authentication and authorization are foundational to protecting your system. While authentication confirms who the user is, authorization controls what that user can access or do. Both are essential to keep your applications secure and your data safe.

In the case of Midaz, since it’s open source and distributed on-premise—along with its plugins—there’s no need for a built-in multi-tenancy layer. Most clients already have their own authentication mechanisms, and we respect that. Still, we know that implementing fine-grained security controls isn't always straightforward, especially when you’re dealing with critical applications like the ledger.

That’s why we’ve developed the Access Manager plugin: an optional component designed to handle user access and identity management when you need more control at the application level.

Why Use the Access Manager Plugin?

When your security strategy requires native, fine-tuned access control across Midaz and its plugins, Access Manager is your go-to. It helps you manage users, credentials, and application access with performance and flexibility in mind.

📘

Note

Access Manager is available as a part of the Enterprise model. If you'd like to learn more or evaluate it for your use case, get in touch with our team.

Components

The Access Manager plugin is made up of two independent services that work together:

• Auth: Acts as the bridge between your applications and your authentication/authorization layer. It handles:
  • Access token generation (OAuth2)
  • Token refresh
  • Credential validation
• Identity: Provides a clear interface—via REST API or the Console—for managing users and access controls. It covers:
  • User Management
  • Machine-to-Machine (M2M) Credentials

Everything is built for performance, simplicity, and extensibility.

🚧

Attention

Although Access Manager is split into two independent services, that doesn’t mean they work in isolation. Each service depends on the other to function properly. Make sure both are up and running before diving in.

Technical Specs

• RESTful APIs and Console interface available
• Midaz and its plugins include the lib-auth library, ready to enforce authorization checks
• Feature flag available via environment variable PLUGIN_AUTH_ENABLED to toggle validation
• OAuth2-based token management and credential flow
• Integration-ready with third-party authentication and authorization platforms
• Valkey caching to boost performance
• Role-based access control (RBAC) aligned with Midaz resource structure

Use Cases

Access Manager is ideal for:

• Clients looking for built-in authentication and authorization at the application layer
• Organizations without a pre-existing IAM solution
• Scenarios where secure M2M integrations are needed
• Teams that want unified access control across Midaz and all its plugins

Enabling Access Manager

Once you’ve installed the Access Manager plugin, you must enable it if you want to use it. To do that, update the following variables in the .env files for Midaz Ledger, Midaz Console or any plugin that you want to use Access Manager with:

# AUTH CONFIGS 
PLUGIN_AUTH_ENABLED=true
PLUGIN_AUTH_HOST=http://plugin-auth:4000

You’ll find the .env files in these folders:

• Midaz Ledger
  • /midaz/components/onboarding
  • /midaz/components/transaction
• Midaz Console and Other Plugins
  • The .env file should be in the main folder.

👍

Tip

Can’t see the files? Try adjusting your system settings to show hidden files since.env files are often hidden by default.