01 API-native identity infrastructure

Your API can own
every identity flow.

One identity platform for people, teams, and services. One API handles multi-tenancy, machine credentials, and signed identity events as first-class operations.

Start building Read the quickstart
identity sequence api.authpi.com
  1. POST /v1/organizations
    201 org_acme organization created
  2. POST /v1/organizations/org_acme/invitations
    202 inv_8d2f member invited
  3. POST /v1/organizations/org_acme/api_keys
    201 key_live_7f3a org-scoped key issued
  4. EVENT user.created
    evt_01J5K8M9N2 delivered to your webhook
Built on OAuth 2.0 OpenID Connect PKCE JWT / RS256 WebAuthn CloudEvents 1.0 OpenAPI 3.1
02 Model

Model identity the way your product actually works.

Users belong to organizations, services authenticate with scoped credentials, and agents act on behalf of real users. Every identity action becomes an auditable event. AuthPI keeps this in one model — no stitching together disconnected services.

identity topology iss_authpi
iss_authpi · issuer boundary membership user on behalf of OAuth 2.0 / OIDC user.created client_spa application org_acme organization usr_jane user usr_amir user key_live_7f3a API key · org pat_9c21 personal token agt_etl agent · machine your webhook event consumer
03 Automation

Built to be managed through code.

Configure everything through the Core API, use standards at runtime, and react to changes via webhooks — without treating a dashboard as the source of truth.

Configure

Create issuers, clients, organizations, and credentials through the Core API.

Authenticate

Use OAuth 2.0 and OIDC at each issuer's runtime endpoints — standard tokens, standard validation.

React

Subscribe to identity events through webhooks instead of polling for changes.

Integrate

Typed TypeScript and Python SDKs, generated from the same API schema.

import { AuthPIAdmin } from "@authpi/admin";

const admin = new AuthPIAdmin({
  apiKey: { id: process.env.AUTHPI_KEY_ID!, secret: process.env.AUTHPI_KEY_SECRET! },
});

const iss = admin.issuer("iss_authpi");

// One model: a tenant, a member, and a scoped machine credential.
const org = await iss.organizations.create({ name: "Acme", type: "business" });

await iss.organization(org.id).invitations.create({
  email: "amir@acme.com",
  role: "member",
});

const key = await iss.organization(org.id).apiKeys.create({
  name: "CI pipeline",
  scopes: ["users:read", "events:read"],
});

// Every change above already emitted an event to your webhooks.
from authpi_admin import AuthPIAdmin

async with AuthPIAdmin(api_key=(KEY_ID, KEY_SECRET)) as admin:
    iss = admin.issuer("iss_authpi")

    # One model: a tenant, a member, and a scoped machine credential.
    org = await iss.organizations.create({"name": "Acme", "type": "business"})

    await iss.organization(org.id).invitations.create({
        "email": "amir@acme.com",
        "role": "member",
    })

    key = await iss.organization(org.id).api_keys.create({
        "name": "CI pipeline",
        "scopes": ["users:read", "events:read"],
    })

    # Every change above already emitted an event to your webhooks.

Real @authpi/admin · authpi-admin calls — copy, run, ship.

04 Platform

One API for your entire identity layer

Users, organizations, sessions, credentials, and events — managed through a single API.

Users & Sessions

CRUD + Portal

Full user lifecycle with a branded self-service portal. Users manage their own profile and credentials — less code for you.

Active Session
user jane@acme.com
device Chrome / macOS
location San Francisco, CA
mfa verified

Organizations

Multi-Tenant

Native multi-tenancy with custom domains per issuer and SSO per organization. Custom org types, flexible fields, and metadata.

Social & Enterprise SSO

OAuth / OIDC

Google, GitHub, Microsoft, Apple included. Connect any OIDC provider for enterprise single sign-on.

Passkeys

WebAuthn

Passwordless authentication that syncs across devices. Phishing-resistant by design — built on WebAuthn.

Webhooks

CloudEvents

90+ event types covering every identity action. Signed payloads, automatic retries, and guaranteed delivery.

user.createdsession.compromisedmembership.addedpasskey.registeredmfa.enabledinvitation.sent

API Keys

M2M

Machine-to-machine auth scoped to organizations. Rate limits, rotation, and instant revocation when needed.

Personal Access Tokens

User-Owned

Let users create their own tokens for CLI tools and scripts. You control the scopes, they manage the rest.

05 Architecture

Global runtime. Regional identity data.

Each issuer is globally distributed. When a user signs up, their PII is placed in the regional storage location nearest them — deliberate data placement, not replication tricks or compliance theater.

global runtime · regional data iss_authpi
requests arrive globally San Francisco Berlin Singapore iss_authpi · runtime globally reachable OAuth 2.0 / OIDC · token issuance · JWKS — served from the nearest edge signup → nearest region PII written here, stays here regional identity data wnam US West enam US East sam S. America weur Europe · EU eeur Europe E · EU me Middle East apac Asia-Pacific oc Oceania Metadata may be global. User PII is placed in one regional store at signup — not replicated everywhere.
Global

Globally reachable runtime

Token issuance, JWKS, and OAuth/OIDC endpoints respond from the edge location nearest each request. Every issuer is reachable everywhere.

8 regions

Regional identity data

User PII is written to a single regional store at signup — across the US, Europe, Asia-Pacific, the Middle East, and South America — and stays there.

EU pin

Honest about boundaries

European users can be pinned to EU-jurisdiction storage. Concrete placement and routing you can read — not a blanket “compliant everywhere” claim.

Read how routing and regional data work
06 Authentication

Let users sign in however they want

Any combination. Social for consumers, enterprise SSO for B2B, passkeys for the security-conscious.

OAuth 2.0 RFC 6749

Social Logins

Google, GitHub, Microsoft, Apple. Users sign in with accounts they already have.

OIDC OpenID Connect

Enterprise SSO

Connect Okta, Azure AD, or any OIDC provider. Your enterprise customers expect it.

WebAuthn FIDO2

Passkeys

No passwords, no phishing. Syncs across all their devices, backed by the platform authenticator.

Passwordless Email OTP

Magic Links

One click in their inbox, they're signed in. Simple, secure, no password to forget.

Argon2id OWASP

Passwords

When you need them. Industry-leading hashing, breach detection, strength requirements.

MFA RFC 6238

Two-Factor Auth

TOTP codes from any authenticator app, plus backup codes for recovery.

07 Credentials

API keys and tokens, sorted

Two credential types for two use cases. API keys for your services, personal tokens for your users' scripts.

API Keys

Organization-scoped

For backend services and integrations. Scoped to organizations so each tenant's keys only access their data.

  • Rate limits that alert before they block
  • Rotate secrets without breaking integrations
  • Block instantly when something goes wrong
  • Every verification logged for audit trails

Personal Tokens

User-owned

For your users' CLI tools and scripts. They create tokens in their settings, you define what scopes are available.

  • Built for CLI tools and automation
  • You define scopes, users pick what they need
  • Users create and revoke their own tokens
  • Get notified when tokens are used or revoked
08 Events

Identity changes arrive as events.

Every meaningful change emits a signed event with full issuer and organization context — delivered to your webhooks with retries and at-least-once guarantees. Not a polling job.

Delivery log last 5
user.created
evt_01J5K8M9N2 attempt 1/1 ✓ delivered
organization.membership.created
evt_01K7N3P5R8 attempt 1/1 ✓ delivered
session.compromised
evt_01M9Q2S5U8 attempt 2/3 retrying
api_key.created
evt_01N2R5T8V1 attempt 1/1 ✓ delivered
organization.invitation.accepted
evt_01P4T7W0Y3 attempt 1/1 ✓ delivered
user.created ✓ signature verified 
 
 
 
  
 
 
Delivery
 
At-least-once
 
 
Signature
 
HMAC-SHA256
 
 
Retries
 
Exponential backoff
 
 
Format
 
CloudEvents 1.0
 
 
 
 
     
 
 
 
 09 Organizations 
 

An organization is a product resource

 

Organizations are built into the core, not bolted on. Each issuer gets its own portal with custom domains, and organizations support SSO out of the box.

 
 
  
 
 GET /v1/organizations/org_01K5L8 
 
 
 id org_01K5L8M2N4P7Q9R1 
 name Acme Corporation 
 type business 
 members 247 
 domain acme.com (verified) 
 auto_join true 
 metadata.industry technology 
 metadata.tier enterprise 
 metadata.region us-west 
 
 
  
 
 
Organization Types
 
Business, nonprofit, government, agency — define types that match your domain. Each can have different defaults.
 
 
Invitations
 
Email invitations that work. Approval workflows, expiration, resend, revoke — all the edge cases handled.
 
 
Domain Auto-Join
 
Users with @acme.com emails join the Acme org automatically. Enterprise onboarding without the friction.
 
 
Roles & Permissions
 
Define what each role can do. Users can have different access in different organizations.
 
 
Custom Fields
 
Store whatever data you need on organizations. Industry, plan tier, Salesforce ID — 100 fields available.
 
 
 
 
 
 
 
  
 
 10 Security 
 

Session security, on by default

 

Refresh-token reuse is detected, the session is killed, and you get an event. Device patterns are tracked, timeouts are enforced, and revocation is one API call. Strong defaults you don't have to wire up.

 
 
  
 
 
 
Stolen Token Detection
 RFC 6819 §5.2.2.3 
 
If a refresh token is used twice, we kill the session immediately. Stolen tokens are useless tokens.
 
 
 
Device Fingerprinting
 Per-Session 
 
Track which devices access each account. Spot suspicious patterns before they become incidents.
 
 
 
Session Timeouts
 Configurable 
 
Set idle timeouts, absolute limits, or extend sessions based on activity. Your rules, enforced automatically.
 
 
 
Instant Revocation
 One API call 
 
One API call to log out a user everywhere. One call to revoke an entire organization. Incident response without a runbook.
 
 
  
 
  
 
 
 
 
 
 
 threat-response 
 authpi/sessions 
  
 
 # Refresh token reuse detected 
  Session ses_01J5K8... terminated 
  Event: session.compromised emitted 
  Webhook delivered to https://api.acme.com/hooks 
  All refresh tokens for user invalidated 
  Threat contained — attacker holds a dead token 
 
 
 

Refresh token reused? Session killed. You get a webhook. Attacker gets nothing.

 
 
 
 
 
 
 
 
 11 Use Cases 
 

Whatever you're building

 

From a single API to a multi-party platform — the same primitives model both people and machines.

 
 
 
 
 
API-first SaaS
 Multi-Tenant 
 
Your product is an API whose customers are companies. Organizations, memberships, and scoped keys are primitives — multi-tenancy in days, not quarters.
 
     
  •   Organizations & memberships 
  •   Domain auto-join onboarding 
  •   Webhook-driven provisioning 
  •   Org-scoped API keys 
    •  
 
 
 
Developer platforms
 Multi-Party 
 
You host other people's services and integrations. Dedicated identity per tenant, machine-to-machine auth, and per-party event routing with full isolation.
 
     
  •   One issuer per tenant 
  •   M2M credentials built in 
  •   Events routed per party 
  •   Complete data isolation 
    •  
 
 
 
AI-native products
 Human + Machine 
 
People and agents both call your API. Personal tokens for users, scoped credentials for services, and agents that act on behalf of a user — in one identity model.
 
     
  •   Personal access tokens 
  •   Scoped machine credentials 
  •   Agents acting for a user 
  •   Every action emits an event 
    •  
 
 
 
 
 
 
 
 
 12 Standards 
 

Open standards, no lock-in

 

Standard protocols mean your existing tools just work. Switch providers anytime — your integration code stays the same.

 
  
 
 
OAuth 2.0
 
RFC 6749
 
 
OIDC Core 1.0
 
OpenID
 
 
OIDC Discovery
 
OpenID
 
 
PKCE
 
RFC 7636
 
 
JWT
 
RFC 7519
 
 
JWK
 
RFC 7517
 
 
CloudEvents 1.0
 
CNCF
 
 
WebAuthn
 
W3C
 
 
  
 
 
Metadata Everywhere
 
Attach JSON to any resource — users, orgs, sessions. Store your Stripe ID, Salesforce ID, whatever you need.
 
 
OpenAPI Spec
 
Full API reference you can import into Postman, Insomnia, or your code generator of choice.
 
 
TypeScript Types
 
Every request and response fully typed. Catch integration bugs at compile time, not runtime.
 
 
 
 
 
 
 
 
 13 Proof 
 

Designed to be measured

 

We'd rather publish numbers than adjectives. Three reproducible benchmarks are in progress — each
                with its method, sample sizes, and test dates disclosed when we publish.

 
 
 
 
 
Coding-agent integration
 
IN PROGRESS
 
 
From an empty API to a tested, multi-tenant identity model.
 
     
  •   Median successful completion time 
  •   Success rate across repeated runs 
  •   Human interventions & token cost 
    •  
 
 
 
Global token latency
 
IN PROGRESS
 
 
Predictable token issuance as a user's organization memberships grow.
 
     
  •   p50 / p95 / p99 from multiple regions 
  •   Token issuance, refresh, and JWKS 
  •   Cold vs. warm, with sample sizes 
    •  
 
 
 
Event delivery
 
IN PROGRESS
 
 
Durable webhook delivery you can reason about.
 
     
  •   Median & p99 delivery delay 
  •   First-attempt success rate 
  •   Recovery after a simulated outage 
    •  
 
 
 
 
 
  
 
 
 
 14 Get Started 
 

From first API to multi-tenant platform

 

Create an account, grab your API keys, start building. Users, organizations, and machine credentials
                in one model — no credit card, no sales calls, no friction.

 
 
 + 10,000 MAU free tier, forever 
 + No credit card required 
 + Full feature access from day one 
 
 
 
Create Free Account
 
Read the Docs