01 Identity Platform

Holistic auth solutions
in minutes

Managed identity with native multi-tenancy, branded portals, 90+ event types, and automatic data residency.

Start Building Free Documentation
GET /v1/users 
 
 
 
 
 
 
 
  
 
 Built on  OAuth 2.0  OpenID Connect  PKCE  JWT / RS256  WebAuthn  CloudEvents 1.0  OpenAPI 3.1  
 
 
 
  
 
 
 
 02  Architecture 
 

Built on our global identity mesh

 

Identity storage distributed globally, not centralized in one region. Data compliance in a single layer — no multi-region complexity, no replication headaches.

 
 
 
 
Global
 
Globally distributed data
 
GDPR, LGPD, PIPL — handled in a single layer. No multi-region deployments, no replication tricks. Compliance by architecture.
 
 
< 50ms
 
Edge-native performance
 
Auth runs on Cloudflare's global edge network. Every request served from the nearest node. Fast for every user, everywhere.
 
 
0 servers
 
Nothing to operate
 
Fully managed on Cloudflare's infrastructure. Auto-scaling, DDoS protection, and high availability — zero servers to manage.
 
 
 
 
 
 
  
 
 03  Platform 
 

One API for your entire identity layer

 

Users, organizations, sessions, credentials, and events — managed through a single API.

 
  
  
 
 
Users & Sessions
 CRUD + Portal 
 
Full user lifecycle with a branded self-service portal. Users manage their own profile and credentials — less code for you.
  
 
 Active Session 
 
 
 user jane@acme.com 
 device Chrome / macOS 
 location San Francisco, CA 
 mfa verified 
 
 
 
  
 
 
Organizations
 Multi-Tenant 
 
Native multi-tenancy with custom domains per issuer and SSO per organization. Custom org types, flexible fields, and metadata.
 
  
 
 
Social & Enterprise SSO
 OAuth / OIDC 
 
Google, GitHub, Microsoft, Apple included. Connect any OIDC provider for enterprise single sign-on.
 
  
 
 
Passkeys
 WebAuthn 
 
Passwordless authentication that syncs across devices. Phishing-resistant by design, loved by users.
 
  
 
 
Webhooks
 CloudEvents 
 
90+ event types covering every identity action. Signed payloads, automatic retries, and guaranteed delivery.
 
 user.createdsession.compromisedmembership.addedpasskey.registeredmfa.enabledinvitation.sent 
 
  
 
 
API Keys
 M2M 
 
Machine-to-machine auth scoped to organizations. Rate limits, rotation, and instant revocation when needed.
 
  
 
 
Personal Access Tokens
 User-Owned 
 
Let users create their own tokens for CLI tools and scripts. You control the scopes, they manage the rest.
 
 
 
 
 
 
  
 
 04  Events 
 

Know when anything happens

 

90+ event types delivered to your webhooks. Provision accounts, sync to your CRM, trigger workflows, feed your SIEM.

 
 
  
 
 
 
User Lifecycle
 4 
 
 user.createduser.updateduser.deleteduser.suspended 
 
 
 
Sessions & Security
 3 
 
 session.createdsession.compromisedsession.terminated 
 
 
 
Organizations
 3 
 
 organization.createdorganization.membership.createdorganization.invitation.accepted 
 
 
 
Authentication
 4 
 
 passkey.registeredsocial.linkedmfa.enabledmagic_link.sent 
 
 
  
 
 com.authpi.user.created application/json 
 
 
 
 
 
  
 
 
Delivery
 
Guaranteed
 
 
Retries
 
Automatic
 
 
Payloads
 
Signed
 
 
Format
 
CloudEvents 1.0
 
 
 
 
  
 
 
 
 05  Authentication 
 

Let users sign in however they want

 

Any combination. Social for consumers, enterprise SSO for B2B, passkeys for the security-conscious.

 
 
 
 
 OAuth 2.0 RFC 6749 
 
Social Logins
 
Google, GitHub, Microsoft, Apple. Users sign in with accounts they already have.
 
 
 OIDC OpenID Connect 
 
Enterprise SSO
 
Connect Okta, Azure AD, or any OIDC provider. Your enterprise customers expect it.
 
 
 WebAuthn FIDO2 
 
Passkeys
 
The future of auth. No passwords, no phishing, syncs across all their devices.
 
 
 Passwordless Email OTP 
 
Magic Links
 
One click in their inbox, they're signed in. Simple, secure, no password to forget.
 
 
 Argon2id OWASP 
 
Passwords
 
When you need them. Industry-leading hashing, breach detection, strength requirements.
 
 
 MFA RFC 6238 
 
Two-Factor Auth
 
TOTP codes from any authenticator app, plus backup codes for recovery.
 
 
 
 
 
 
 
 
 06  Credentials 
 

API keys and tokens, sorted

 

Two credential types for two use cases. API keys for your services, personal tokens for your users' scripts.

 
 
  
 
 
API Keys
 Organization-scoped 
 

For backend services and integrations. Scoped to organizations so each tenant's keys only access their data.

 
     
  •   Rate limits that alert before they block 
  •   Rotate secrets without breaking integrations 
  •   Block instantly when something goes wrong 
  •   Every verification logged for audit trails 
    •  
 
  
 
 
Personal Tokens
 User-owned 
 

For your users' CLI tools and scripts. They create tokens in their settings, you define what scopes are available.

 
     
  •   Built for CLI tools and automation 
  •   You define scopes, users pick what they need 
  •   Users create and revoke their own tokens 
  •   Get notified when tokens are used or revoked 
    •  
 
 
 
 
 
 
  
 
 07  Security 
 

Enterprise session security, no team required

 

Threats get caught automatically. Token theft detected. Suspicious patterns flagged. You get notified, we handle the rest.

 
 
  
 
 
 
Stolen Token Detection
 RFC 6819 §5.2.2.3 
 
If a refresh token is used twice, we kill the session immediately. Stolen tokens are useless tokens.
 
 
 
Device Fingerprinting
 Per-Session 
 
Track which devices access each account. Spot suspicious patterns before they become incidents.
 
 
 
Session Timeouts
 Configurable 
 
Set idle timeouts, absolute limits, or extend sessions based on activity. Your rules, enforced automatically.
 
 
 
Instant Revocation
 < 50ms p99 
 
One API call to log out a user everywhere. One call to revoke an entire organization. Incident response in milliseconds.
 
 
  
 
  
 
 
 
 
 
 
 threat-response 
 authpi/sessions 
  
 
 # Refresh token reuse detected 
  Session ses_01J5K8... terminated 
  Event: session.compromised emitted 
  Webhook delivered to https://api.acme.com/hooks 
  All refresh tokens for user invalidated 
  Threat contained in 12ms 
 
 
 

Refresh token reused? Session killed. You get a webhook. Attacker gets nothing.

 
 
 
 
 
 
 
 
 08  Organizations 
 

Multi-tenancy that actually works

 

Organizations are built into the core, not bolted on. Each issuer gets its own portal with custom domains, and organizations support SSO out of the box.

 
 
  
 
 GET /v1/organizations/org_01K5L8 
 
 
 id org_01K5L8M2N4P7Q9R1 
 name Acme Corporation 
 type business 
 members 247 
 domain acme.com (verified) 
 auto_join true 
 metadata.industry technology 
 metadata.tier enterprise 
 metadata.region us-west 
 
 
  
 
 
Organization Types
 
Business, nonprofit, government, agency — define types that match your domain. Each can have different defaults.
 
 
Invitations
 
Email invitations that work. Approval workflows, expiration, resend, revoke — all the edge cases handled.
 
 
Domain Auto-Join
 
Users with @acme.com emails join the Acme org automatically. Enterprise onboarding without the friction.
 
 
Roles & Permissions
 
Define what each role can do. Users can have different access in different organizations.
 
 
Custom Fields
 
Store whatever data you need on organizations. Industry, plan tier, Salesforce ID — 100 fields available.
 
 
 
 
 
 
 
 
 
 09  Use Cases 
 

Whatever you're building

 

Single-tenant app or multi-party marketplace — the same primitives scale to match your architecture.

 
 
 
 
 
B2B SaaS
 Multi-Tenant 
 
Your customers are companies. Native organizations, team invites, and role-based access — ship multi-tenancy in days, not quarters.
 
     
  •   Self-service team management 
  •   Domain auto-join onboarding 
  •   Webhook-driven provisioning 
  •   Scoped API keys per org 
    •  
 
 
 
Platforms
 Multi-Party 
 
Complex multi-party relationships with full isolation. Dedicated identity per tenant, M2M auth, and granular event routing.
 
     
  •   One issuer per tenant 
  •   M2M credentials built in 
  •   Events routed per party 
  •   Complete data isolation 
    •  
 
 
 
Consumer Apps
 High-Volume 
 
Frictionless signup that converts. Social logins, passkeys, magic links — users choose how they sign in, you control the security.
 
     
  •   Two-click signup flows 
  •   Passwordless-first auth 
  •   Silent session security 
  •   Built for millions of users 
    •  
 
 
 
 
 
 
 
 
 10  Standards 
 

Open standards, no lock-in

 

Standard protocols mean your existing tools just work. Switch providers anytime — your integration code stays the same.

 
  
 
 
OAuth 2.0
 
RFC 6749
 
 
OIDC Core 1.0
 
OpenID
 
 
OIDC Discovery
 
OpenID
 
 
PKCE
 
RFC 7636
 
 
JWT
 
RFC 7519
 
 
JWK
 
RFC 7517
 
 
CloudEvents 1.0
 
CNCF
 
 
WebAuthn
 
W3C
 
 
  
 
 
Metadata Everywhere
 
Attach JSON to any resource — users, orgs, sessions. Store your Stripe ID, Salesforce ID, whatever you need.
 
 
OpenAPI Spec
 
Full API reference you can import into Postman, Insomnia, or your code generator of choice.
 
 
TypeScript Types
 
Every request and response fully typed. Catch integration bugs at compile time, not runtime.
 
 
 
 
 
 
 
 
 11  Get Started 
 

Ship auth today

 

Create an account, grab your API keys, start building. No credit card, no sales calls, no friction.

 
 
 + 10,000 MAU free tier, forever 
 + No credit card required 
 + Full feature access from day one 
 
 
 
Create Free Account
 
Read the Docs