Kimezu Identity protocol for operators of branded ecosystems

The identity layer
your tenants
never see.

Kimezu is the operator-ready distribution of the Simezu identity protocol. A branded sign-in, payments and access surface for every tenant on your platform, on a backbone you keep control of.

Book a walk-through See the operator console
Sandbox is free; no card required.
A designer and developer reviewing the Kimezu console together in the studio
Studio · designers and developers, one identity contract
Built on Kimezu

The latest consumer-facing apps that joined Kimezu.

Simuze · music networking
Simuze simuze.com · music networking
Rozuro · finance OS
Rozuro rozuro.com · finance OS
Mind Your Space · studio space booking
Mind Your Space mindyourspace.app · studio space booking
Wemazu · deployment orchestration
Wemazu wemazu.com · deployment orchestration
Magic Decky · MTG deckbuilder
Magic Decky magicdecky.com · MTG deckbuilder
mockup ready
preview/case-heute-mockup.html
→ assets/showcase/heute.png
Heute heute.app · social activities
Built on Kimezu Simuzesimuze.com Rozurorozuro.com Mind Your Spacemindyourspace.app Wemazuwemazu.com Magic Deckymagicdecky.com Heuteheute.app
I
Operators

Built for the person who runs a platform with one identity team.

If you operate a platform with multiple consumer-facing brands, a publishing house, a healthcare group, you already know that giving each brand its own auth stack is how you end up with several auth stacks. Kimezu is the alternative.

Most platform teams run four or five overlapping systems. A user table. A permissions engine. A session service. A payment-profile store. And, if you're honest, a half-finished audit log.

Kimezu replaces them with one.

The protocol is identical for every tenant. The brand is not.

A new app joins the ecosystem, asks Kimezu who is this person, what can they do, who gets paid, and gets the same JWT it would for any other tenant. Integration code stops growing.

Operators see one console. Roles, sessions, payment routes, audit trails, all in one place. End users see a login that looks like their brand.

Operator working at a quiet desk with a phone in hand and a laptop nearby

An operator working through a morning.

The whole job is keeping the protocol predictable. One service, one chain to verify, one console that shows it did what it was supposed to. Calm because nothing surprising happens underneath.

The operator console

The operator console manages every tenant from one surface.

A real screenshot, not a marketing render. This is what your platform team looks at on a Monday morning.

The console is the operator's only daily surface.

Configure tenants, rotate signing keys, review audit chains, set payment routes. Every tile below is a built-in module. None of them assume you've integrated a third-party.

01 Authentication healthLogin success rate, failed-login spikes, active sessions per tenant. live
02 Application usagePer-app login volume over the recent window, switchable by tenant. window
03 Platform statisticsTotal tenants, webhooks, payments, gross revenue, at a glance.
04 App distributionActive vs dormant apps, with one-click revocation of stale credentials. ops
See the platform
console.kimezu.com/rozuro/statistics
Kimezu operator console.Rozuro tenant statistics
Developer working across multiple laptops at a desk

The integration desk.

When a developer wires a new app into Kimezu, they read the JWT, write a guard clause, and move on. Most of the work is removing the auth code they were going to write anyway.

In the field

Four tenants on one identity foundation.

Kimezu doesn't care what your customers sell. It cares that the identity contract under each brand is identical. Four tenants on the same instance, told as four short stories.

id.rozuro.com · Finance OS
01 · Rozuro · finance OS

Payment profiles as the billing OS, on day one.

Rozuro is a finance OS for solo operators and small businesses. Multi-tenant billing isn't a side-feature it had to build. Kimezu's payment-profile model gave Rozuro a per-tenant routing engine on day one. The marketplace queries Kimezu for the right destination on every transaction; VAT treatment lands at payment time so the OSS report writes itself at quarter close.

Each tenant is a Kimezu group with its own payment profile. Stripe, Mollie and PayPal sit behind one routing decision; the books stay consistent whether reverse-charge or OSS applies.

id.simuze.com · Music networking
02 · Simuze · local music

Same identity from rehearsal-room booking to door scan.

Local music scenes don't fit any one auth system. Venues, rehearsal spaces, sound techs and ticket holders all touch the same person's account in a single working day. Simuze runs on Kimezu so a musician's account follows them from booking a rehearsal-space slot in the afternoon to scanning in at the door in the evening.

One identity across the whole scene. Venues, rehearsal spaces, ticketing. Each surface keeps its own brand and its own copy. The protocol underneath knows the artist is the same person every time.

id.mindyourspace.app · Mindfulness
03 · Mind Your Space · mindfulness

Three actor types, one identity model.

Mind Your Space connects studios, teachers and students. Each gets a different surface, but the identity backbone is the same. A teacher who teaches at two studios has one account and two scoping roles; a student books across studios with one login; a studio operator schedules without needing to maintain a separate user database.

actor_typeper role

The teacher's authority at studio A doesn't follow them to studio B unless studio B grants it. The student's identity does, because students are the ones who pay.

id.wemazu.com · DevOps
04 · Wemazu · deployment orchestration

Agents as first-class deploy actors.

Wemazu is a GitHub-driven deployment orchestrator. Every deploy is performed by an agent. A revocable JWT scoped to a single project, with an explicit owner. The audit log shows exactly which agent shipped which commit at what time. Humans approve; agents act.

actor_type: agent

A deployment that fails is traceable to one agent, one token, one moment. A token compromised in CI logs is revocable in one console click. The audit chain proves the rest.

Hands writing in a notebook beside a reference book on a desk

Where the brand work happens.

Every tenant has someone deciding what the sign-in should look like, what the support email says, what the OAuth consent screen reads. That work belongs to them. Kimezu provides the surface and stays out of it.

Comparison

The build-vs-buy matrix, by dimension.

We compared Kimezu against the two paths most operators actually weigh: rolling identity yourself, or running a vendor like Auth0 / Cognito. No straw-man categories.

Dimension Build it yourself Kimezu Auth0 / Cognito / Frontegg
Pricing modelWhat you pay for as you grow. Engineering salaries Flat, per tenant Per active user (gets expensive)
Multi-tenant whitelabelPer-tenant domain, theme, copy. Bespoke for each Built in, per-tenant Add-on, often per-MAU
Agent identities as first-class actorsNon-human callers with their own JWTs. Custom permissions glue actor_type: agent, revocable, scoped Service accounts, weakly scoped
Data residencyWhere identity actually lives. You decide EU-west / EU-central / self-host Usually US-primary
Self-hosted optionRun it on your own hardware. Yes Yes. Public release stream. Vendor-only
Audit log verifiabilityExternal integrity check, on every plan. Roll your own HMAC-chained, public verifyChain() Proprietary, often paid
Payment profiles per tenantRouting money to owners. Separate service First-class Not in scope
Migration offPassword hashes and user IDs exportable. You own everything Documented OIDC + open schema Auth0 famously does not export password hashes
Sovereignty

Data residency is set in the contract, not in marketing copy.

Kimezu defaults to EU-hosted, supports self-hosting on your hardware, and treats anything else as a deliberate and documented choice. The list below is what's actually contractual, not aspirational.

Art. 6 · 15 · 17

GDPR-native by default

Right to access and erasure are in the schema, not the docs. Every actor type carries an explicit lawful basis, recorded at session creation and surfaced in the audit log.

EDPB-aligned

SCC + DPA pre-signed

Standard Contractual Clauses and a Data Processing Agreement are signed before you write a single line of integration code. Custom addenda are negotiated on the Self-hosted plan.

EU-only

Region-locked storage

Per-tenant region pinning. Two EU primary regions; backups stay regional. No transatlantic data transfers. Ever.

SHA-256

HMAC-chained audit log

Every authentication, authorization decision and administrative action is hashed into a chain you can verify externally. Tamper attempts are immediately visible.

0 trackers

No third-party telemetry

The sign-in page makes zero non-Kimezu network calls. No analytics, no marketing pixels, no third-party fonts. The page that asks for a password is the cleanest page on the internet.

Argon2id

Password hashing at the edge

Passwords are hashed with Argon2id at production cost factors. Failed-login back-off is rate-limited fail-closed; honeypot tokens and tarpit on probe patterns are on by default.

RS256

JWKS rotation

Token-signing keys rotate on a schedule and on demand; consuming applications fetch JWKS via discovery and validate every request. No long-lived shared secrets.

For the long-form list of what we will and won't do under contract, see Security & compliance.

A laptop on a wooden desk in front of a window, with plants and natural daylight

A workspace where the protocol is doing its job.

The list above is not a marketing list. It is the contract. What's in the audit log is the same shape in the DPA is the same shape in the schema. That alignment is why Kimezu reads as boring to operators, and why it reads as clean to legal.

Pricing

Per tenant. Not per user.

You're the operator. Bring your own users. Tiers are billed in euros and EU-hosted by default; self-hosted plans are contracted.

What you pay for

Hosting, the protocol, every operator feature. No seat tax.

Developer
Free. One tenant, one app.
Free
Starter
One tenant, EU-west.
€49/mo
Most chosen
Operator
Up to 25 tenants.
€299/mo
Growth
Up to 100 tenants.
€899/mo
Self-hosted
Your hardware. Or Atypisch Managed.
Custom
Start free
Start Starter
Run as operator →
Talk Growth
Compare →

All prices ex VAT. Annual prepay = 12 months for the price of 10. Atypisch can also install and run Kimezu for your organisation on the same upstream codebase. One SSOT for updates across every managed customer. See the full feature table →

VIII
Questions

What people ask before they pick Kimezu.

If something here doesn't fit your context, mail operators@kimezu.com. A human replies.

01How is Kimezu different from Auth0 with multiple tenants?
Auth0 is a hosted vendor with a per-MAU bill and a black-box authorization model. Kimezu is a protocol and a reference distribution you can run on your own EU infrastructure. Every tenant gets the same identity contract, branded surfaces, and a shared ownership and payment model. No data leaves your stack, no per-user pricing.
02What does "white-label" actually include?
Sign-in screens, magic-link emails, OAuth consent pages, OIDC discovery domain, payment receipts, audit-log dashboards and the API surface all carry the tenant's brand. Colours, logo, copy, domain, support email. Operators configure once per tenant; end users never see Kimezu.
03Where does payment money actually move?
Through Stripe, Mollie or PayPal, configured on each tenant's payment profile. Kimezu never holds funds; it records where they're supposed to go and what VAT treatment applies, then hands off to the processor. Refunds inherit the original VAT treatment so books stay consistent.
04How do AI agents fit into the identity model?
Agents are first-class actors with their own JWTs (actor_type: agent), an owner (user or group), and scoped permissions that can never exceed the owner's permissions. Tokens are revocable instantly across every connected app. Consuming apps see the same session shape and decide whether to permit agent traffic.
05Can we migrate off Kimezu later?
Yes. Kimezu speaks plain OAuth 2.0 and OIDC, exports its user table in a documented format, and the schema is open. We provide a migration playbook to Keycloak, Authentik or a self-built identity layer. No proprietary user-id formats.
06How does VAT and OSS reporting work?
Kimezu applies the right rule at payment time (EU consumer, EU business reverse charge, or outside-EU scope) and stores the treatment alongside the transaction. We produce per-country, per-period summaries you can hand to your accountant. Submitting OSS returns remains your responsibility; we give you the numbers.
Get started

A foundation you operate.

One identity protocol, every tenant their own brand, all of it EU-hosted and yours to run.

Spin up a tenant → Book a walk-through
Sandbox
No card required

One tenant, unlimited users, live OIDC discovery.

Migration
A real engineer, not a bot

Operator tier includes paired migration time.