Product FAQ
Product questions, answered.
Core modules, identity model, and rollout basics.
What is Lamba built for?
Lamba provides tenant-aware authentication, authorization, and governance so teams can ship identity without rebuilding the core infrastructure.
How do tenants and projects map to environments?
Tenants represent customer orgs. Projects separate sandbox and production or product lines, each with its own keys, domains, and usage.
Which login methods are supported?
Password, magic link, social login, SMS OTP, and OIDC/SSO-ready flows depending on plan.
How do campaigns, loyalty, and webhooks connect?
Every module runs on the same tenant + project context, so messaging, rewards, audit trails, and events stay consistent with identity data.
Evaluation links
Jump directly to trust and technical references.
Use these links during security reviews, architecture assessment, and procurement checklists.
Pricing FAQ
Pricing questions, answered.
Usage rules, limits, and plan changes in one place.
How do upgrades and downgrades work?
Upgrades apply immediately so you can unlock higher limits right away. Downgrades take effect on the next billing cycle, and we keep your data intact.
What happens on Free when we hit a limit?
Free has hard caps in production and returns 402 PLAN_LIMIT_EXCEEDED with clear guidance. You can upgrade to keep usage flowing.
How do sandbox and production environments work?
Paid plans include separate sandbox and production projects; sandbox traffic is not billable. The Free plan includes production only.
How does overage billing work?
On paid plans, MAU and campaign email usage can exceed the included amount and bill at the published plan rates at the end of the cycle. We surface usage early so you can avoid surprises.
How do you define MAU?
MAU is the count of unique users or devices with a successful session in a rolling 30-day window.
How long does launch pricing last?
Green launch pricing stays at $49/month through December 2026. Green renews at $99/month starting in 2027.
Where can enterprise reviewers find trust and technical artifacts?
Start with the Trust Center and Status page, then use the API overview, OpenAPI/Postman docs, and incident communication reference for technical and procurement reviews.
Procurement FAQ
Procurement and architecture review questions.
Answers for security teams, buyer stakeholders, and implementation owners.
What should security and procurement reviewers request first?
Start with the Trust Center and Status page, then review API overview, OpenAPI/Postman docs, and incident communication references to validate operational and contract clarity.
How do we evaluate sandbox vs production readiness?
Use separate projects for sandbox and production, validate OIDC and webhook flows in sandbox first, then promote configurations with the same tenant/project scoping model.
How do we verify plan enforcement behavior?
Use the plan limits docs and error reference to test 402 PLAN_LIMIT_EXCEEDED handling, then confirm your application treats it as a business-state response.
Migration FAQ
Migration playbook questions.
Plan phased cutovers with rollback safety and clear ownership boundaries.
What is the safest migration order from an existing auth stack?
Migrate one tenant/project slice first: establish OIDC client, map roles and memberships, validate webhook consumers, then expand tenant by tenant after audit and session checks pass.
How do we handle token and session compatibility during migration?
Run a controlled dual-read period if needed, keep issuer and redirect URIs explicit per environment, and force session re-auth when role mapping changes to prevent stale access.
What rollback posture should we keep?
Keep a tenant-scoped rollback switch for critical auth paths, preserve correlation IDs across both systems, and monitor status plus audit signals during the cutover window.
Security FAQ
Security questions, answered.
High-level guidance for security and compliance reviews.
How long is data retained?
Retention windows vary by plan and data type. We publish baseline ranges and confirm exact retention settings during onboarding and procurement reviews.
How do you handle incident response?
We follow documented incident workflows with escalation, customer-facing updates on the status page, and post-incident summaries for impactful events.
How do you separate environments?
We recommend distinct projects for sandbox and production. Paid plans include multiple projects to keep environments isolated.
How are webhooks secured?
Webhook payloads are signed with HMAC SHA-256 and include timestamps to mitigate replay risk. Delivery logs are available for verification workflows.
How do rate limits work?
Rate limits protect shared infrastructure and are documented with response contracts, including Retry-After guidance and problem details when limits are exceeded.