We sell authentication, which makes our scariest question a simple one: when a customer wires their app to us and switches everything on, does it actually work, end to end, on the real thing? Not "do the unit tests pass," but does a brand-new tenant sign up, configure SSO and SCIM and MFA and custom claims and branding, point a real application at it, and log a real user in with the right claims in the token, through a real browser. We answer that the only way we trust: with one end-to-end test that becomes a customer.
It's a single Playwright run, deliberately serial and stateful, and it walks the whole life of a tenant from birth to deletion. One tenant signs up, gets configured to the teeth, serves a real login to a real consumer app, gets backed up and restored, then deletes itself. If any link in that chain breaks, the run goes red, and we don't ship.
It configures everything, not a happy-path slice
The middle of the test is thorough on purpose. It doesn't log in and call it a day; it walks every screen a real implementer touches and exercises it for real: a custom OIDC client with its redirect URIs and token settings, a custom scope that emits user claims, roles and a role assignment, an end user with a custom attribute, a group with real membership and a group-to-role mapping, SAML and OIDC enterprise connections, a SCIM provisioning token, a custom domain, an outbound provisioning app, a teammate invited and re-roled, billing through a real checkout, the audit log with filters and a CSV export, a sandbox environment, and the security, webhook, and email settings (each flipped, then reverted to a safe state). Every one of those is created, verified, and where it makes sense deleted, in the same run.






