FerrisKey LogoFerrisKey Docs
Core Concepts

Client

Learn how Clients in FerrisKey represent applications that rely on centralized authentication and access control.

A Client in FerrisKey represents an application that relies on FerrisKey, for authentication and access control.

Think of a Client as any application or service that needs to identify users, verify who they are, and decide what they are allowed to do without managing credentials itself.

What is a Client ?

A Client is an application registered inside a Realm that delegates identity management to FerrisKey.

A Client provides:

  • Centralized authentication handled by FerrisKey
  • Secure login flows shared across applications
  • Consistent access control and authorization rules
  • Isolation per application within the same Realm
  • Standardized security practices without custom code
A client never stores passwords. It trusts FerrisKey to authanticate users securely and consistenly.

Key Concepts

Application Trust

A Client establishes a trust relationship with FerrisKey.

This means:

  • The application trusts FerrisKey to authenticate users
  • FerrisKey trusts the application to respect issued access rules
  • Users never share credentials directly with the application
Security Guarantee Credentials are handled only by FerrisKey, reducing risk and attrack surface.

Client Scope

Each client is scoped to a single Realm:

  • A client belongs to one Realm
  • It can only access users and settings from that Realm
  • It cannot interact with other Realms

This ensures:

  • Clear boundaries between applications
  • No accidental data or access leaks
  • Predictable security behavior

Authentication Flow

Clients rely on FerrisKey for login using a standardized flow:

  1. A user accesses the application
  2. The application redirects the user to FerrisKey
  3. The user authenticates securely
  4. FerrisKey redirects the user back to the application
  5. The application receives proof of authentication

From the user's perspective:

  • Login is smooth
  • The experience is consistent across applications
  • Security is invisible but enforced

Tokens and Sessions

Once authenticated, FerrisKey provides secure tokens to the Client.

These tokens allow the application to:

  • Identify the user
  • Validate access rights
  • Secure API calls

Important points for clients:

  • Tokens are temporary and expire automatically
  • Tokens can be revoked
  • Tokens replace passwords entirely

Clients never need to manage sessions themselves ; FerrisKey does it for them.

Types of Clients

Web Applications

Examples:

  • Customer portals
  • Admin dashboards
  • Internal tools

Characteristics:

  • Browser-based access
  • Redirect-based login
  • User-centric authentication

Mobile Applications

Examples:

  • iOS or Android apps
  • Desktop applications

Characteristics:

  • Secure authentication without embedded credentials
  • Shared identity across devices
  • Consistent user experience

APIs and Services

Examples:

  • Backend services
  • Internal APIs
  • Microservices

Characteristics:

  • Machine-to-machine application
  • Secure service access
  • Fine-grained authorization

Client Features

Authentication Configuration

Each Client can define:

  • Allowed login methods
  • Session duration
  • Redirect behavior
  • Security constraints

This allows applications to:

  • Match their security requirements
  • Adapt to different user experiences
  • Remain consistent with organizational policies

Authorization & Access Control

Clients rely on FerrisKey to determine:

  • Which users can access the application
  • What roles are required
  • Which permissions apply

Access rules are enforced centrally, ensuring:

  • No duplicated logic
  • No inconsistent permissions
  • Easier audits

Security Isolation

Clients are isolated from one another:

  • A user logged into one Client does not automatically gain access to others
  • Access rules are evaluated per Client
  • Security incidents are contained

This ensures that one application cannot compromise another.

Use Cases

Single Application

A single application relying on FerrisKey:

  • Centralized login
  • Strong security
  • Simple management

Multiple Applications in One Realm

Organizations often have:

  • A user portal
  • An admin dashboard
  • Internal tools

Each application is separate Client, sharing:

  • The same users
  • The same Realm
  • Consistent security policies

SaaS Platforms

For SaaS providers:

  • One Realm per customer
  • Multiple Clients per customer
  • Strong tenant isolation
  • Custom authentication per customer

Benefits

For Organizations

  • Centralized identity managements
  • Reduced security risk
  • Consistent authentication
  • Simpler compliance

For Users

  • Unified login experience
  • Fewar credentials
  • Clear access boundaries
  • Improved trust

For Development Teams

  • No custom authentication logic
  • Standardized security
  • Faster application onboarding
  • Predictable behavior

Best Practices

Client Separation

Create one CLient per applications:

Recommended Pattern
  • One Client = One Application
  • Avoid sharing Clients between unrelated apps

Least Privilege

  • Grant Clients only the access they need
  • Avoid overly broad permissions
  • Regularly review access rules

Lifecycle Management

  • Remove unused Clients
  • Rotate credentials regularly
  • Monitor authentication activity
Clients are the bridge between your applications and FerrisKey. They allow applications to remain focused on business logic logic while FerrisKey handles identity, security, and trust.

Realm

Learn about FerrisKey Realm, a powerful feature for managing multi-tenant applications.

Architecture Overview

Understanding the FerrisKey architecture and its components.