Stackure

B2B partner infrastructure
built for you.

Partner Onboarding, RBAC, and Audit. Delivered as a complete platform.

From 15 years of building secure, scalable B2B systems.

  • Accounts
  • Identity
  • Access
  • Governance
  • Support
  • AI
Sign In Get Started

What gets built for you.

Account Management

Hierarchy, onboarding, lifecycle, and plan governance

Account Hierarchy

Three tier structure: Root, Partner, Subpartner. Database enforced integrity with circular reference detection. Only root and partner levels can create apps.

Partner Onboarding

Self service signup through pending to admin approval or rejection with notes. Approval is atomic: account, super admin, role, and audit record in a single transaction.

Account Expiry

Configurable duration, extensions requestable near expiry, ceiling on new expiry date. Expired accounts degrade to support only scope, not lockout. Closure archives before cascading delete.

Quota and Plan Management

Four tiers: free, pilot, premium, root. Limits on users, teams, apps, subaccounts, team memberships. Account level overrides. Quota checks inside database transactions to prevent race conditions.

Identity and Authentication

Passwordless auth, session management, token security

Passwordless Authentication

Magic link only. No password storage attack surface. Anti enumeration via silent failure on unknown emails. Nonce expiry on magic links. Sign out revokes tokens and clears pending nonces.

Session Management

Dual token architecture: short lived auth token, long lived session token. Single session per user. IP and user agent binding. Legitimate sign in invalidates any stolen token.

Token Security

Encrypt then sign: AES 256 GCM encryption followed by HS512 signing. Tokens are opaque to interceptors, not just tamper resistant. Bearer header and cookie both supported.

Rate Limiting

Per email, IP, and operation combination. Prevents brute force on magic link endpoints and auth flows.

Access Control

Roles, scopes, permissions, teams, and app sharing

Role Based Access Control

Roles from default_user through account_owner with eight intermediate roles. Four scope levels: any, associated, managed, own. Custom roles supported. All enforcement at database level, impossible to bypass.

App Sharing

Apps created at root or partner level, shared to accounts, teams, or partners. Users see a union view: own account apps plus shared to account plus shared to teams.

Team Management

Team creation with leaders and member management. Team to partner delegation. Team to app sharing. Cross hierarchy permission model.

User Management

Full CRUD. Case insensitive email uniqueness enforced throughout. Character level email validation. Account ownership transfer.

Governance and Compliance

Audit trails, usage tracking, security posture

Audit Trail

Per entity audit tables via triggers on INSERT, UPDATE, DELETE with before and after JSONB snapshots. Fires on all code paths including stored procedures. Impossible to bypass.

Usage Events

Tracks all significant actions. Permission aware visibility function ensures users only see activity their current permissions allow. Deleted entity names resolved from event time snapshots.

Security Posture

Per request CSP nonce in security headers. Environment aware CORS. Case insensitive uniqueness enforcement on all identity fields. Character level validation.

Support and Engagement

Search, support requests, and navigation

Search and Navigation

Three surfaces: Browse, Add, Attention List. Tiered keyword matching with permission filtered results. Command palette for fast access across all entities.

Support System

Typed request categories with status workflow: pending, responded, closed. Database level type enforcement on support categories.

Accessible to AI.

Every platform capability exposed as MCP tools. Connect any model, any provider, no lock in.

Your AI systems can onboard partners, assign roles, check permissions, and pull audit trails without custom integration work. You bring the model, the platform serves the tools.

How it's engineered.

The decisions behind the platform, and why they matter.

Permissions enforced at the data layer

No code path, no API call, no manual fix can bypass access control. Every request goes through the same rules at the database level.

Passwordless by design

No passwords stored means no credential stuffing, no breaches from stored secrets, no reset flows. The entire attack surface is eliminated, not mitigated.

Quotas enforced inside transactions

Two requests can't race past the same limit. Overallocation is impossible, not just unlikely.

Tokens encrypted before signed

An intercepted token reveals nothing. Not just tamper proof, unreadable.

Architecture validated on every boot

The server checks its own integrity before serving a single request. Violations are caught before they reach production, not after.

Zero framework dependency

Built on Go's standard library. No dependency churn, no upgrade burden, no convention lock in. Monitoring built into the schema, not bolted on as a third party service.

Plugging into your stack.

Your team is up and running in minutes, not weeks.

  1. Register your app

    Create your app in the dashboard. One form, one app ID.

  2. Define permissions

    Create custom permission keys scoped to your app. View reports, manage billing, whatever your app needs.

  3. Assign to roles

    Bind app permissions to default or custom roles. Users inherit access through their role, not individual grants.

  4. Share access

    Grant the app to specific accounts, teams, or partners. Access is scoped, not global.

  5. Integrate

    Drop in the SDK. JavaScript, Go, Python, or Rust. One endpoint validates the session and returns the user.

Simple. Clean. Flexible. Timeless.

Get Started