The control plane is not an integrator REST surface. Organisations, tenants, plans, billing, and CP-level members are managed through the IntelliAuth admin console at https://manage.<DOMAIN_BASE> — by humans, on the web, with every action captured in the audit trail.
If you're integrating IntelliAuth into your product, you want the Data plane API and the SDKs that wrap it. This topic exists as a quick map of what's on the other side of the line.
What the control plane owns
Section titled “What the control plane owns”| Area | Where it lives |
|---|---|
| Organisations (you, the customer of IntelliAuth) | CP admin console |
| Tenants (the per-environment units inside your org) | CP admin console |
| Plans + billing | CP admin console |
| CP-level members + invitations | CP admin console |
| CP-level audit | CP admin console |
| Tenant provisioning sagas | CP admin console (status views) |
These are platform-operator concerns. The platform operator is your team — the people who decide that you'll have a "prod" tenant, a "staging" tenant, a "uat" tenant. Not your end-users; not even your tenant admins.
What the data plane owns
Section titled “What the data plane owns”Per-tenant operations. The data plane's REST surface — wrapped by the SDKs — exposes the integrator-facing subset:
- End-user sign-in, sign-out, MFA, password reset
- Token issuance, refresh, revocation
- User management (CRUD)
- Group management (RBAC)
- Resource + relation management (ReBAC)
- Application configuration
- Federation connection management
- Webhook subscriptions
- Self-service for the signed-in user
Plus tenant-admin-only operations that DON'T have a REST integrator surface — Flows + Actions configuration, Reports, audit reads, threat-intel feed management, branding. Those are operated in the tenant admin console at https://<tenant>-<org>.<DOMAIN_BASE>/admin.
Why the separation matters
Section titled “Why the separation matters”Three reasons for the firm CP-vs-DP split:
- Blast radius. A leaked DP token unlocks one tenant. A leaked CP token would unlock the whole platform. Keeping CP off-network for integrators is defence in depth.
- Audit clarity. Every CP action has a named human actor in the audit log. Mixing programmatic CP changes into the audit stream blurs that.
- Operational deliberateness. Tenant creation, plan changes, decommissioning — these are events that should be deliberate human acts, not silent API calls in a CI script.
If you find yourself wishing for a CP API, the right next step is to talk to the IntelliAuth team about the specific automation case. Some workflows (auto-provision a fresh tenant for an integration test, for example) genuinely benefit from automation; the platform's roadmap accommodates them through controlled-blast-radius mechanisms when needed.