Darwan is an authorization and compliance API that provides role-based access control (RBAC), attribute-based policies (ABAC), separation of duties constraints, periodic access reviews, and immutable audit trails for multi-tenant applications.

What compliance frameworks does Darwan support?

Darwan provides controls required by SOX (Sarbanes-Oxley), SOC 2 Type II, ISO 27001, HIPAA, PCI DSS v4.0, GDPR, and NIST 800-53 including separation of duties, access reviews, immutable audit logs, and time-bound assignments.

How does Darwan handle audit trail integrity?

Every authorization decision is logged with a SHA-256 hash chain and per-tenant sequencing. Each event's hash includes the previous event's hash, making tampering detectable. Audit events are archived rather than deleted, preserving the full chain for compliance verification.

What is Separation of Duties in Darwan?

Darwan's SoD constraints prevent conflicting roles from being assigned to the same principal. Constraints can be set to Block (reject the assignment with 409) or Warn (allow with a warning). Validation checks both direct principal-role and indirect group-role paths.

How do access reviews work in Darwan?

Create periodic access review campaigns that generate review items for every current role assignment. Reviewers approve or revoke each item. Revoked assignments are deleted immediately. Overdue reviews auto-expire. This satisfies SOX, SOC 2, ISO 27001, and PCI DSS review requirements.

v1 · production · authorization & compliance API

Access control that's
audit-ready from day one.

Darwan is the authorization and compliance engine for multi-tenant applications. Enforce least privilege, pass compliance audits, and ship access control from a single API — with immutable audit trails, separation of duties, and periodic access reviews built in.

Open Console Read the docs

⌐ proofs · last verified 2026-04-13

Evaluation latency: < 5 ms
p95 · RBAC + ABAC · Redis-backed cache
Audit integrity: SHA-256 chain
per-tenant sequenced · verifiable on demand
Decision model: Deny-overrides
explainable · 6 reason codes
Frameworks: 7 supported
SOX · SOC 2 · ISO · HIPAA · PCI · GDPR · NIST
Stack: .NET 10 · PostgreSQL 18
single deployable · Docker-first

Regulatory frameworks supported out of the box

SOXSOC 2 Type IIISO 27001HIPAAPCI DSS v4.0GDPRNIST 800-53

01 / 04 Capabilities

Nine capabilities,
one authorization API.

Not a feature checklist. Each item below is wired into request-handling code that runs in production. Read the source. Audit the logs.

Role-Based Access Control

RBAC

Define roles, permissions, and assignments across tenants. Deny-overrides-allow evaluation with explainable decisions.

Attribute-Based Policies

ABAC

Layer fine-grained conditions on top of RBAC. Ownership rules, JSON constraints, and versioned policy sets.

Multi-Tenant by Default

Tenants

Every entity is tenant-scoped. One Darwan instance serves all your products with isolated data and policies.

Time-Bound Assignments

Expiry

Set expiration dates on role assignments. Expired grants are automatically excluded from authorization and cleaned up by a background service.

Separation of Duties

SoD

Define conflicting role constraints with Block or Warn enforcement. Violations are caught at assignment time across direct and group paths.

Periodic Access Reviews

Reviews

Create certification campaigns to review all role assignments. Approve or revoke with audit trails. Overdue reviews auto-expire.

Immutable Audit Trails

Integrity

Every decision is logged with SHA-256 hash chains and per-tenant sequencing. Verify integrity on-demand. Archived, never deleted.

Audit Export & Analytics

Export

Paginated search with filters, summary analytics, and CSV/JSON export. Real-time audit dashboard with integrity verification.

API Keys & Webhooks

Events

Scoped API keys for service-to-service auth. Webhooks push role, policy, and compliance events to every downstream service.

“Most authorization vendors ask you to model policy in their DSL and check your audit trail in their dashboard. We give you the API, the decision log, and the SQL — because that is what an auditor asks for.”

Lutfar Rahman · founder, KaritKarma

02 / 04 How it works

Three steps.
One decision log.

Define your model once in the console or via API, call /v1/authorize from every service, audit every decision from a single immutable log. No sidecars, no policy language to learn.

Read the integration guide

Step 01 · Define

Tenants, roles, permissions

Model your access in the admin console or via API. Assign roles with optional expiry dates and Separation-of-Duties constraints.

Step 02 · Authorize

POST /v1/authorize

Darwan evaluates RBAC grants, ABAC policies, and time-bound assignments, then returns an explainable decision in under 5 ms.

POST /v1/authorize
{ "action": "read", "resource": "invoice" }
200 OK { "allowed": true, "reason": "role:finance-reader" }

Step 03 · Audit & review

SHA-256 chained, per-tenant sequenced

Every decision is hash-chained, sequenced, and archived. Run periodic access reviews, export CSV/JSON, verify integrity on demand.

03 / 04 Regulatory readiness

Seven frameworks.
No bolt-on tools needed.

Darwan provides the controls, audit trails, and review workflows required by major compliance frameworks. Mapped to specific clauses, not brochure claims.

SOX

Sarbanes-Oxley

SoD constraints, access reviews, immutable audit logs

SOC 2

Type II

Audit trails, access reviews, time-bound access, integrity verification

ISO 27001

Annex A.9

RBAC, periodic reviews, audit logging, least-privilege enforcement

HIPAA

Security Rule

Access controls, audit logs, automatic session expiry, review certification

PCI DSS

v4.0

Role-based access, SoD, quarterly reviews, audit trail retention

GDPR

Art. 5(1)(f)

Access control, audit trails, data minimization via expiry, review evidence

NIST 800-53

AC / AU Controls

RBAC/ABAC, SoD, continuous monitoring, audit integrity, access reviews

04 / 04 Integrate

One HTTP call
from any service.

If your stack speaks HTTP and JSON, Darwan drops in. Official SDKs for .NET, Go, Node.js, and Rust — or hit /v1/authorize directly. Every decision returns a reason code your application can surface to the user.

API reference SDK downloads

SDK

Node.js

SDK

Rust

SDK

POST /v1/authorize

http

# Request
POST /v1/authorize HTTP/1.1
Host: darwan.net
Authorization: Bearer <api-key>
Content-Type: application/json

{
  "tenantId":     "acme-corp",
  "principalId":  "user-42",
  "action":       "read",
  "resourceType": "invoice",
  "resourceId":   "inv-2026-0413"
}

# Response — 200 OK
{
  "allowed":  true,
  "reason":   "role:finance-reader",
  "policyId": "pol_8f2e1c",
  "traceId":  "01HXYZ...",
  "ttlMs":    30000
}

Architecture

.NET 10PostgreSQL 18RedisOAuth 2.1OpenAPIDocker

Architecture notes

Get started

Ship compliant
access control this sprint.

Sign in to start managing roles, enforcing separation of duties, and running access reviews. On-prem, hosted, or hybrid — we work with the deployment model your security team already trusts.

Open Console or read the documentation first

Access control that'saudit-ready from day one.

Nine capabilities,one authorization API.