Granular access, without a permissions PhD.
Four roles, unlimited groups, per-token permissions. The model is small enough to hold in your head, expressive enough to pass an audit.
Built-in roles for the common case.
Roles say what kind of user. Groups say what they can touch.
A user can be in any number of groups. A token can be granted to any number of groups. The grant is per-permission: code only (most common) or full seed (rare, admin-tier).
SMS numbers attach to groups the same way. The model composes cleanly: add a user once, the right tokens light up.
For contractors and incidents.
Grant access to client-meta-ads with a 30-day expiry. On day 31 they're auto-removed; their access is revoked at the next code-fetch attempt.
Temporarily elevate a member to seed permission on a specific token for 4 hours during a credential rotation. Auto-revokes.
The hardest moment, automated.
Clicking "Remove" cuts their session, invalidates their API keys, and removes their group memberships in one transaction.
Kaito flags every full-seed token they had access to with a one-click "Mark for rotation" workflow.
The user record is retained (not deleted) so audit history stays intact. They just can't sign in.
Bring your own identity.
Enterprise plans include SAML 2.0 SSO and SCIM 2.0 user provisioning. Bring your IdP — Okta, Entra ID, Google Workspace, JumpCloud — and Kaito will accept the role mapping you send.