Skip to content

Dapple Concepts

Dapple profile

A Dapple profile is tied to an individual (you), not to a single organization. One profile can include multiple accounts (for different organizations) and can be used across multiple devices.

Dapple account

A Dapple account is a container for passkeys and related metadata. You can create multiple Dapple accounts to organize passkeys (for example, separate personal and work accounts).

An account also lets you associate your Dapple profile with an organization. If your organization uses Dapple, an administrator can send you an invite token. Applying that invite links your account to the organization and allows you to create passkeys that grant access to the organization's resources.

Accounts keep passkeys grouped and labeled so it's easy to see which keys belong to which organization or purpose.

Dapple organization

A Dapple organization represents a company or team that uses Dapple to manage access to its apps and systems. Organizations can invite users to join by providing invite tokens. When you accept an invite, your Dapple account becomes associated with the organization and you can create or use passkeys scoped to that organization's resources.

Organization administrators can manage membership and view metadata (such as account nicknames), but they do not receive your biometric data or private key material.

Organizations can be arranged in a parent-child hierarchy. A parent organization can oversee one or more child organizations, enabling multi-level structures for managed service providers (MSPs), MSSPs, and large enterprises.

Organization hierarchy

Dapple organizations can be arranged in a parent-child hierarchy. A parent organization can manage one or more child organizations, and those children may have children of their own, forming a tree structure.

Each organization in the hierarchy is managed independently, but administrative roles such as Site Admin and Full Admin allow privileged users to manage across organizational boundaries. Permissions granted at a higher level in the hierarchy flow down to child organizations for administrators who hold those roles.

The hierarchy is surfaced in the admin portal through two places:

  • The organization switcher in the page header, which displays accessible organizations as a collapsible tree and lets administrators move between them.
  • The Tenant Organizations page under Settings, which shows the current organization and its child organizations and provides tools to create, edit, or delete them.

User roles

Every user in a Dapple organization is assigned a role that controls what they can see and do. Roles are assigned per organization, so a user may hold different roles in different organizations within the same hierarchy.

Member

The default role for end users. Members can authenticate using passkeys and manage their own passkeys and authentication history. Members do not have access to the admin portal.

Organization Admin

Organization admins can manage their own organization through the admin portal. Capabilities include:

  • Inviting new users and managing existing users within the organization
  • Assigning and modifying user roles within the organization
  • Viewing organization-level logs and reports
  • Configuring log export for SIEM integration
  • Managing restricted domains
  • Managing branding and white-label theme settings

Organization admins can only manage their own organization. They cannot view or modify child or parent organizations.

Site Admin

Intended for MSPs and tenant administrators who manage multiple child organizations. Site admins have Organization Admin-level capabilities across their managed child organizations, but cannot modify their own organization's settings. Additional capabilities include:

  • Viewing aggregated logs and metrics across managed child organizations
  • Managing users, roles, domains, and settings within child organizations

Site admins cannot create new child organizations.

Full Admin

Intended for MSP administrators with top-level control of an entire organizational hierarchy. Full admins have all Site Admin capabilities plus:

  • Full administrative access to their own organization (equivalent to Organization Admin for their own org)
  • Ability to create new child organizations
  • Management of all organizations throughout the entire hierarchy

Passkeys

  • The actual passkey material remains on the device where it was created.
  • Dapple synchronizes only metadata (creation device, last-used time, etc.) via the cloud.
  • If needed, Dapple can regenerate passkeys using biometric information enrolled in the profile.

Recovery key

  • During enrollment you are shown a recovery key (QR code). This key plus a biometric scan lets you recover your profile on a new device.
  • Any device that is enrolled with Dapple can be used to display the recovery key so that you can enroll a new device.
  • Store the recovery key securely; if you lose all your Dapple-enrolled devices, you will need a separate copy for recovery on a new device.
  • On mobile, you can optionally store your recovery key in iCloud Keychain (iOS) or Google Block Store (Android). The key is stored end-to-end encrypted so the cloud provider cannot access it. Cloud backup can be enabled or disabled from the View Recovery Key screen at any time.

Credential provider

  • Dapple can be enabled as a credential provider (on Android/iOS) so passkeys created by browsers or apps can be saved directly into Dapple.

Restricted domains

A restricted domain is a DNS domain that an organization claims and verifies as belonging to them. When an organization verifies control of a domain (by publishing a DNS TXT record that contains a cryptographic verification string generated from the organization's admin portal), the domain can be marked as "restricted" for that organization.

When a domain is restricted, any Dapple passkey created for usernames that use that domain (for example, user@company.com) can be associated with and managed by the organization. This allows organization administrators to discover and manage passkeys tied to their domain (for example, to assist with troubleshooting, or to monitor usage).

How to claim a restricted domain (high level): - An organization administrator generates a verification token from the Dapple admin portal. - The administrator publishes the token as a DNS TXT record on the domain to prove control. - Dapple verifies the DNS record (verification may take time due to DNS propagation) and marks the domain as restricted for that organization.

Notes and caveats: - Restricted domains affect passkeys created for usernames in that domain; they do not grant access to users' biometrics or private keys. - Adding a restricted domain only affects new passkey creation for passkeys scoped to that domain, existing passkeys are unaffected.