01 For API-first and AI-native teams

Identity infrastructure for APIs and AI agents.

AuthPI gives API-first and AI-native teams one identity system for users, organizations, services, and agents. Manage multi-tenancy, scoped credentials, agent access, and event-driven webhooks through a single API.

identity sequence api.authpi.com
  1. POST /v1/accounts/{account_id}/issuers/{issuer_id}/organizations
    201 org_0kfz3m8q1w5e9r2t6y4u7i3o5 organization created
  2. POST /v1/accounts/{account_id}/issuers/{issuer_id}/organizations/{org_id}/invitations
    202 inv_8d2f0kfz3m8q1w5e9r2t6y4u7 member invited
  3. POST /v1/accounts/{account_id}/issuers/{issuer_id}/organizations/{org_id}/api-keys
    201 key_7f3a9c2d4e5f67890123456789abcdef org-scoped key issued
  4. POST /v1/accounts/{account_id}/issuers/{issuer_id}/agents
    201 agt_7c1de2f3a4b5c6d7e8f9a0b1c2d3e4f5 AI agent identity created
  5. EVENT user.created
    evt_01J5K8M9N2 delivered to your webhook
Built on OAuth 2.0 Client Credentials OpenID Connect PKCE JWT / RS256 WebAuthn CloudEvents 1.0 OpenAPI 3.1
02 How the model works

How users, organizations, and agents relate

Users belong to organizations, services authenticate with scoped credentials, and AI agents get their own identities instead of borrowing user accounts or sharing service keys. Every identity action becomes an auditable event. AuthPI keeps this in one model, not a set of disconnected services you stitch together.

identity topology i_4r8w2k9m5x1p7q
i_4r8w2k9m5x1p7q · issuer boundary membership user on behalf of OAuth 2.0 / OIDC user.created client_spa application org_...i3o5 organization usr_jane user usr_amir user key_...cdef API key · org ptk_...89ab personal token agt_...e4f5 agent · machine your webhook event consumer
03 Managed through the API

Keep identity management in your product code.

Use the Core API to provision customers, mint organization keys, and give agents their own credentials. At runtime, your products use OAuth/OIDC endpoints; downstream systems follow changes from events and webhooks.

Provision

Create organizations, invitations, API keys, webhooks, clients, and agents through the Core API.

Run

User apps, M2M clients, and agents authenticate against issuer runtime endpoints with OAuth 2.0 and OIDC.

Observe

Events cover mutations across the system, and webhooks deliver the changes your integration subscribes to.

Integrate

OpenAPI-backed TypeScript and Python Admin SDKs keep examples close to the API shape.

import { AuthPIAdmin } from "@authpi/admin";

const admin = new AuthPIAdmin({
  apiKey: { id: process.env.AUTHPI_KEY_ID!, secret: process.env.AUTHPI_KEY_SECRET! },
  accountId: process.env.ACCOUNT_ID!,
});

const iss = admin.issuer(process.env.ISSUER_ID!);

// Provision the customer model your product already knows about.
const org = await iss.organizations.create({ name: "Acme", org_type: "business" });

await iss.organization(org.id).invitations.create({
  email_invited: "amir@acme.com",
  scopes: ["member"],
});

const key = await iss.organization(org.id).apiKeys.create({
  name: "Billing sync",
  type: "api_key",
  restrictions: { scopes: ["issuers.users:read", "events:read"] },
});

const agent = await iss.agents.create({
  name: "Support Triage Agent",
  scopes: ["tickets:read", "tickets:triage"],
});

const verifier = await iss.agent(agent.id).verifiers.create({
  type: "secret",
  name: "primary",
});

// The agent uses standard client_credentials at runtime.
// Mutations are available through the events API and subscribed webhooks.
from authpi_admin import AuthPIAdmin

async with AuthPIAdmin(api_key=(KEY_ID, KEY_SECRET), account_id=ACCOUNT_ID) as admin:
    iss = admin.issuer(ISSUER_ID)

    # Provision the customer model your product already knows about.
    org = await iss.organizations.create({"name": "Acme", "org_type": "business"})

    await iss.organization(org.id).invitations.create({
        "email_invited": "amir@acme.com",
        "scopes": ["member"],
    })

    key = await iss.organization(org.id).api_keys.create({
        "name": "Billing sync",
        "type": "api_key",
        "restrictions": {"scopes": ["issuers.users:read", "events:read"]},
    })

    agent = await iss.agents.create({
        "name": "Support Triage Agent",
        "scopes": ["tickets:read", "tickets:triage"],
    })

    verifier = await iss.agent(agent.id).verifiers.create({
        "type": "secret",
        "name": "primary",
    })

    # The agent uses standard client_credentials at runtime.
    # Mutations are available through the events API and subscribed webhooks.

Real @authpi/admin · authpi-admin calls generated from the Core API schema.

04 Core primitives

One API for users, organizations, services, and agents

AuthPI models users, organizations, services, and AI agents as API-managed primitives. Each one is scoped, observable, and flows through the same event pipeline.

usr_

Human identity

Users, sessions, verifiers, MFA, passkeys, and a branded portal for profile and credential management.

Users API Sessions Verifiers Portal
i_ / org_

Multi-tenancy primitives

Issuers, organizations, memberships, domains, and SSO model your customers without bolting tenant logic onto user auth.

Issuers Organizations Members SSO
agt_

Agent identity

First-class agt_ identities for AI agents and bots, with their own scopes, verifiers, organization memberships, and audit trail.

Agents API Verifiers Scopes Memberships
key_ / c_

Service access

Org API keys for managing AuthPI resources, and OAuth client_credentials for services calling your own APIs.

API Keys Clients Token endpoint Scopes
ptk_

User-owned access

Personal access tokens let users connect CLI tools, scripts, and automations while you define the scopes they can request.

Personal Tokens Scopes Revocation Usage events
std

Runtime standards

OAuth 2.0, OpenID Connect, JWTs, JWKS, PKCE, WebAuthn, and OpenAPI specs where your APIs expect them.

OIDC JWKS WebAuthn OpenAPI 3.1
CloudEvents

One event pipeline across the model

State changes, lifecycle transitions, and security signals are persisted as events. Webhooks subscribe to exact event types and keep delivery records for retries and debugging.

user.created organization.updated api-key.created agent.verifier.added webhook.updated session.compromised
05 Runtime and data

Global runtime. Regional identity data.

Each issuer is globally distributed. When a user signs up, their PII is placed in the regional storage location nearest them. That's deliberate data placement, not replication or a blanket compliance claim.

global runtime · regional data i_4r8w2k9m5x1p7q
requests arrive globally San Francisco Berlin Singapore i_4r8w2k9m5x1p7q · runtime globally reachable OAuth 2.0 / OIDC · token issuance · JWKS · served from the nearest edge signup → nearest region PII written here, stays here regional identity data wnam US West enam US East sam S. America weur Europe · EU eeur Europe E · EU me Middle East apac Asia-Pacific oc Oceania Metadata may be global. User PII is placed in one regional store at signup, not replicated everywhere.
Global

Globally reachable runtime

Token issuance, JWKS, and OAuth/OIDC endpoints respond from the edge location nearest each request. Every issuer is reachable everywhere.

8 regions

Regional identity data

User PII is written to a single regional store at signup (US, Europe, Asia-Pacific, the Middle East, or South America) and stays there.

EU pin

EU-jurisdiction pinning

European users can be pinned to EU-jurisdiction storage. It's concrete placement and routing you can read, not a blanket 'compliant everywhere' claim.

06 Sign-in options

Let users sign in however they want

Any combination. Social for consumers, enterprise SSO for B2B, passkeys for the security-conscious.

OAuth 2.0 RFC 6749

Social Logins

Google, GitHub, Microsoft, Apple. Users sign in with accounts they already have.

OIDC OpenID Connect

Enterprise SSO

Connect Okta, Azure AD, or any OIDC provider. Your enterprise customers expect it.

WebAuthn FIDO2

Passkeys

No passwords, no phishing. Syncs across all their devices, backed by the platform authenticator.

Passwordless Email OTP

Magic Links

One click in their inbox, they're signed in. Simple, secure, no password to forget.

Argon2id OWASP

Passwords

When you need them. Industry-leading hashing, breach detection, strength requirements.

MFA RFC 6238

Two-Factor Auth

TOTP codes from any authenticator app, plus backup codes for recovery.

07 Access for code

Credentials for the code calling your APIs

Pick by destination first: org API keys manage AuthPI, M2M clients mint OAuth tokens for your own APIs, and personal tokens let users run scripts as themselves.

Calling AuthPI?

key_

Org API keys

Use for the Core API

Backend services, CI jobs, and scripts manage AuthPI resources such as users, issuers, clients, webhooks, and organizations.

HTTP Basic
Core API scopes
Rotate / block / revoke

Calling your APIs?

c_

M2M clients

Use for service-to-service auth

One of your systems exchanges client credentials for a standard OAuth access token that your APIs can verify locally.

client_credentials
JWT access token
30 min default lifetime

Acting as a user?

ptk_

Personal tokens

Use for user-owned automation

CLI tools, local scripts, and integrations act as a specific user without exposing the user's primary credentials.

JWT bearer token
Returned once
Revocable / expiring

These credentials compose in production: a backend can hold an org API key to provision AuthPI resources and an M2M client to call internal APIs, while users keep personal tokens for their own scripts.

08 Events and webhooks

Every matching account event can trigger a webhook.

AuthPI emits events for users, sessions, organizations, clients, API keys, agents, accounts, and webhooks. Active subscriptions receive matching account events as CloudEvents payloads, with delivery attempts stored for debugging and audit.

Delivery log last 5
user.created
evt_01J5K8M9N2 attempt 1/1 ✓ delivered
organization.membership.created
evt_01K7N3P5R8 attempt 1/1 ✓ delivered
session.compromised
evt_01M9Q2S5U8 attempt 2/3 retrying
api-key.created
evt_01N2R5T8V1 attempt 1/1 ✓ delivered
organization.invitation.accepted
evt_01P4T7W0Y3 attempt 1/1 ✓ delivered
user.created authpi-signature verified
 
Delivery
Persisted attempts
Auth
Bearer or HMAC
Retries
40 by default
Format
CloudEvents 1.0
09 Your customer model

Multi-tenancy built into the identity model

Organizations are the boundary for B2B customers, workspaces, departments, and teams. They carry members, agents, scopes, SSO configuration, invitations, metadata, and lifecycle events in one API model.

Token context

Tokens carry organization context

When a user or agent acts inside a customer tenant, AuthPI issues organization context with the token. Your API authorizes against the org, member, scopes, and membership status it receives.

org org_0kfz3m8q1w5e9r2t6y4u7i3o5
member usr_01j4h7k3m5n8p2q4r6s9t0v1x
scopes org:admin billing:read
status active

Membership changes are reflected on the next login, refresh, or userinfo call; existing access tokens remain bounded by their configured lifetime.

Tenant record

business / nonprofit / government

A stable org_ ID with business type, contact data, custom fields, metadata, member limits, and status.

Memberships

users + agents

Users and agents join organizations with their own scopes, titles, metadata, and active or suspended status.

Enterprise access

invitations + SSO

Invitation flows, verified SSO domains, SSO-only enforcement, MFA policy, and default member scopes live with the organization.

Lifecycle contract

events emitted

Suspend to remove org claims from newly issued tokens; delete to cascade memberships, invitations, SSO config, and org API keys.

Events
organization.created organization.membership.created organization.sso.domain-verified organization.suspended
10 Security from the start

Session security, on by default

Refresh-token reuse is detected, the session is killed, and you get an event. Device patterns are tracked, timeouts are enforced, and revocation is one API call. Strong defaults you don't have to wire up.

Stolen Token Detection

RFC 6819 §5.2.2.3

If a refresh token is used twice, we kill the session immediately. Stolen tokens are useless tokens.

Device Fingerprinting

Per-Session

Track which devices access each account. Spot suspicious patterns before they become incidents.

Session Timeouts

Configurable

Set idle timeouts, absolute limits, or extend sessions based on activity. Your rules, enforced automatically.

Instant Revocation

One API call

One API call to log out a user everywhere. One call to revoke an entire organization. Incident response without a runbook.

threat-response
authpi/sessions
# Refresh token reuse detected
Session s_01j5k8... terminated
Event: session.compromised emitted
Webhook delivered to https://api.acme.com/hooks
All refresh tokens for user invalidated
Threat contained: attacker holds a dead token

Refresh token reused? Session killed. You get a webhook. Attacker gets nothing.

11 Who it is for

Built for API-first and AI-native teams

From a single API to a multi-party platform, the same primitives model people, services, and AI agents.

API-first SaaS

Multi-Tenant

Your product is an API whose customers are companies. Organizations, memberships, and scoped keys are built-in primitives, so you add multi-tenancy in days, not quarters.

  • Organizations & memberships
  • Domain auto-join onboarding
  • Webhook-driven provisioning
  • Org-scoped API keys

Developer platforms

Multi-Party

You host other people's services and integrations. Dedicated identity per tenant, machine-to-machine auth, and per-party event routing with full isolation.

  • One issuer per tenant
  • M2M credentials built in
  • Events routed per party
  • Complete data isolation

AI-native products

Human + Machine

People and agents both call your API. Give each AI agent its own identity, scopes, organization membership, and audit trail instead of borrowing a user account or sharing an API key.

  • First-class agent IDs
  • Five-minute agent tokens
  • Per-agent secret credentials
  • Agent audit events
12 Standards underneath

Open standards, no lock-in

Standard protocols mean your existing tools just work. Switch providers anytime and your integration code stays the same.

OAuth 2.0
RFC 6749
OIDC Core 1.0
OpenID
OIDC Discovery
OpenID
PKCE
RFC 7636
JWT
RFC 7519
JWK
RFC 7517
CloudEvents 1.0
CNCF
WebAuthn
W3C

Metadata Everywhere

Attach JSON to any resource: users, organizations, sessions. Store your Stripe ID, Salesforce ID, whatever you need.

OpenAPI Spec

Full API reference you can import into Postman, Insomnia, or your code generator of choice.

TypeScript Types

Every request and response fully typed. Catch integration bugs at compile time, not runtime.

Get started

One API. Every identity. Free to start.

Create an account, grab your API keys, and model users, organizations, services, and agents in one system. No credit card, no sales calls.

  • 60-day free trial
  • No credit card required
  • Every feature included