Product Roadmap

Building the Future of Identity Management

Our roadmap is shaped by customer feedback and real-world enterprise needs. See what we're working on and what's coming next. Want to influence our direction? Contact us to share your requirements.

Recently Shipped

NEW

Verifiable Credentials (Phases 1–4)

ZenoAuth is now the first lightweight, self-hosted IAM with native W3C Verifiable Credential support. Full OID4VCI issuance and OID4VP verification in the same 16 MB binary. No other self-hosted IAM platform offers both.

Credential Issuance

  • SD-JWT issuance (RFC 9901) with selective disclosure
  • OID4VCI 1.0 (auth code + pre-authorized flows)
  • Bitstring Status List (W3C) for revocation
  • SCIM-to-VC automatic credential offers
  • Credential delivery via email and QR code
  • GDPR-triggered credential revocation

Verification & Federation

  • OID4VP 1.0 wallet-based authentication
  • did:web resolution for external issuers
  • Trusted issuer registries with key caching
  • Credential-augmented RBAC rules engine
  • Per-org issuer DIDs + cross-org federation
  • DCQL query language + Presentation Exchange

Why this matters: The EU mandates citizen digital wallets by December 2026 (eIDAS 2.0). NIST 800-63-4 recognizes digital wallets for identity proofing. Keycloak has OID4VCI only. Okta/Auth0 won't ship VC support until late 2026. ZenoAuth has both issuance and verification — today.

NEW

Privileged Identity Management (Phases A & B)

ZenoAuth is now the only self-hosted IAM that combines identity management with privileged access control. Just-In-Time access, approval workflows, break-glass emergency access, and VC-based privilege tokens — all in the same binary.

Phase A: Core JIT Access

  • Elevation request engine with justification & ticket refs
  • Configurable approval policies (manual, conditional, auto)
  • Auto-expiry scheduler (background task, 60s interval)
  • Admin UI: PIM dashboard, requests, approvals, policies
  • TUI screens: Elevations + PIM Policies

Phase B: VC Tokens & Break-Glass

  • SD-JWT privilege credentials on elevation approval
  • Offline-verifiable privilege tokens (no callback needed)
  • Break-glass emergency access with enhanced audit
  • Mandatory post-incident review workflow
  • NIST assurance-gated elevation (IAL/AAL)

Why this matters: CyberArk starts at $70/user/month. Azure PIM locks you into one cloud. Open source PAM tools lack IAM integration. ZenoAuth ships PIM inside the same 16 MB binary — with cryptographic privilege tokens no competitor can match.

FIXED

HA Cluster Key Rotation

Signing key rotation now propagates automatically across all ZenoAuth instances in a cluster. When one instance rotates keys, every other instance picks up the new keys within seconds — zero downtime, zero token validation errors during rotation. Production-grade high availability.

Current Release

STABLE

ZenoAuth v1.0

Production-ready identity management in a single 16 MB binary. Complete OAuth 2.0, OpenID Connect, SCIM v2, and LDAP support.

Core Features

  • OAuth 2.0 Authorization Server
  • OpenID Connect Provider
  • Pushed Authorization Requests (PAR)
  • Dynamic Client Registration (DCR)
  • Rich Authorization Requests (RAR)
  • SCIM v2 Inbound & Outbound
  • SCIM Nested Groups (RFC 7643)
  • Groups Management
  • Custom Scopes
  • Multi-Factor Authentication
  • WebAuthn / Passkeys
  • SMS/Email OTP
  • Magic Link Authentication
  • Role-Based Access Control (RBAC)

Admin & Operations

  • Next.js Admin Dashboard
  • Terminal UI (TUI)
  • Real-time Analytics
  • Comprehensive Audit Logs
  • Token Management
  • User Portal
  • Docker Deployment
  • Background Job Scheduler

Enterprise Features

  • Multi-Tenancy (Organizations)
  • LDAP/Active Directory Sync
  • GDPR Compliance & Data Export
  • Session Management
  • Trusted Devices
  • Emergency Access (Break Glass)
  • Custom Domains
  • Advanced Rate Limiting

Planned Features

PLANNED

SAML 2.0 Support

Enterprise SAML integration as both Identity Provider and Service Provider. Full XML signature support for secure assertion handling.

PLANNED

Webhook Events

Real-time event notifications for user lifecycle events, authentication, and administrative actions. Enable custom integrations and workflows.

PLANNED

Risk-Based Authentication

Intelligent authentication that adapts based on risk signals like device trust, location, and behavioral patterns.

PLANNED

Policy-as-Code

Define access policies using code. Version-controlled, testable authorization rules with support for OPA/Rego or similar policy languages.

Under Consideration

These features are being evaluated based on customer demand and enterprise feedback. Contact us to share your priorities and requirements.

Authentication

  • • Device Trust Scoring
  • • Passwordless-only Mode
  • • Step-up Authentication

Integration

  • • GraphQL API
  • • Terraform Provider
  • • Kubernetes Operator
  • • Azure AD B2C Migration

Compliance

  • • SOC 2 Reporting Tools
  • • Automated Compliance Checks
  • • Data Residency Controls
  • • HIPAA Compliance Mode

Shape the Future

ZenoAuth is built for enterprises. Your feedback directly influences our roadmap. Contact us to share your requirements and priorities.

Contact Us View Pricing Documentation