baikery.studio
/oo-identity

oo-identity

authentication, workspaces, permissions, and billing. everything you need to manage who has access to what.

four pillars

sign in → organize → control → pay

authentication

sign in with passkeys or email. no passwords to remember or leak.

powered by hanko

workspaces

separate spaces for different teams or clients. data stays isolated between them.

zero data leakage

permissions

four roles: owner, admin, member, viewer. control who can do what.

enforced at every level

credits & billing

usage-based pricing. three credit pools: daily bonus, subscription, and purchased.

learn more about credits →

how it's organized

your account, your billing, your workspaces

your account

  • • one identity across all workspaces
  • • passwordless sign-in
  • • personal preferences and style
  • • can belong to multiple organizations

your organization

  • • owns the subscription and credits
  • • manages one or more workspaces
  • • shared credit pool for the team
  • • plan tier determines available features

your workspaces

  • • isolated environment per team or client
  • • separate agent memory per workspace
  • • role-based permissions
  • • custom subdomain (paid plans)

beta launch (may 2026): starting with one workspace per account for stability. multi-workspace support unlocks post-launch for agency tier.

roles & permissions

four roles with increasing access

owner

  • • manages billing and credits
  • • publishes agent knowledge
  • • invites and manages team members
  • • configures domains and integrations

admin (creator tier+)

  • • invites members
  • • manages workspace settings
  • • creates and edits knowledge
  • • cannot manage billing

member (creator tier+)

  • • works with agents
  • • creates knowledge
  • • uses credits
  • • edits content

viewer (all tiers)

  • • read-only access
  • • cannot run agents
  • • doesn't use credits
  • • ideal for clients and stakeholders

data isolation

zero data leakage between clients

workspace separation

every piece of data is tied to a specific workspace. agents can only access memory within their own workspace.

  • • agent memory stays within its workspace
  • • knowledge belongs to one workspace only
  • • agents cannot query across workspaces

enforced at every layer

isolation isn't just a UI feature. it's enforced in the database, the api, and every internal service.

  • • access tokens scoped to workspace
  • • internal services verify permissions
  • • unauthorized requests are rejected

verified in production:evmg uses workspace isolation to keep competitive clients' data separate. client a's wind farm agent literally cannot access client b's solar data.

learn about enterprise solutions →

security & compliance

built for regulated industries

encryption

all data encrypted at rest (aes-256-gcm). short-lived access tokens with automatic rotation.

audit logs

every action logged with who did it, when, and in which workspace. gdpr-compliant retention.

eu sovereignty

german gmbh, eu-only infrastructure, gdpr-native. your data never leaves europe.