Entity Enricher uses organization-based multi-tenancy. Every user belongs to one organization, and all data — records, schemas, API keys — is isolated per organization.
Organizations are the top-level boundary for data isolation. When you sign up, you create a new organization or join an existing one. All enrichment records, schemas, and API keys belong to your organization and are accessible to team members based on their role.
Entity Enricher uses a 4-tier role hierarchy. Each role includes all permissions of the roles below it:
Sign up with Google, GitHub, or email through Firebase authentication. During registration, you choose to either create a new organization or join an existing one.
Users go through an approval workflow when joining an organization:
| Status | Meaning | Can Log In? |
|---|---|---|
| Active | Full access to the system based on assigned role | Yes |
| Pending | Join request submitted, waiting for owner approval | No |
| Rejected | Join request was denied by an owner | No |
| Deactivated | Account was disabled (soft delete, preserves audit trail) | No |
Any user can leave their organization. The behavior depends on ownership:
Your account is deactivated and you are signed out. Your enrichment records remain in the organization for audit purposes.
If you are the only remaining owner, you must confirm organization deletion. Enrichment records and schemas are detached (not deleted), while users, API keys, and provider keys are removed with the organization.
Owners access the User Management page to manage their team:
Safety rules:
Entity Enricher supports multiple authentication methods:
Sign in with Google or GitHub via Firebase. No password needed.
Traditional email and password authentication via Firebase.
Programmatic access keys for CI/CD and service integrations.
After authentication, the backend issues short-lived JWT access tokens (15 minutes) and long-lived refresh tokens (7 days). Learn more about programmatic access in the API Keys guide.