Identity infrastructure for APIs and AI agents.

AuthPI gives API-first teams a single identity model for users, organizations, services, and AI agents. Multi-tenancy, scoped credentials, M2M auth, short-lived agent tokens, webhooks, and audit events are all built in.

OAuth 2.0 OIDC JWT/JWKS WebAuthn CloudEvents OpenAPI TypeScript and Python SDKs
60-day trial No credit card Every feature included Usage-based pricing, not seats

How the model works

Every identity primitive, included and complete.

Users belong to organizations, services authenticate with scoped credentials, and AI agents get identities of their own. In AuthPI these are one model with one event stream, and none of them is an add-on you bolt on later.

Included with every issuer

Sessions MFA Passkeys SSO Memberships Invitations Scoped API keys Personal tokens Agent identities Webhooks Audit events
identity topology i_4r8w2k9m5x1p7q
your application OAuth client OAuth 2.0 · OIDC i_4r8w2k9m5x1p7q · issuer boundary usr_01j4h7k3m5n8 user · human org_0kfz3m8q1w5e organization agt_7c1de2f3 agent · machine key_7f3a9c2d api key · org-scoped member of member of scoped to user.created your webhook event consumer

Agent identity

AI agents get identities of their own.

When agents call your API as borrowed users or shared keys, you can't scope them, revoke them, or audit them. AuthPI makes the agent a first-class identity next to your users and services.

  • Own credentials per agent: no borrowed user accounts, no shared service keys
  • Short-lived, scoped tokens for every agent call
  • Suspend an agent and its access ends within one five-minute token window
  • Organization membership and a full audit trail, like any identity
Read the agents quickstart

Your customer model

Multi-tenancy built into the identity model

Organizations are the boundary for B2B customers, workspaces, departments, and teams. They carry members, agents, scopes, SSO configuration, invitations, metadata, and lifecycle events in one API model.

Token context

Tokens carry organization context

When a user or agent acts inside a customer tenant, AuthPI issues organization context with the token. Your API authorizes against the org, member, scopes, and membership status it receives.

org org_0kfz3m8q1w5e9r2t6y4u7i3o5
member usr_01j4h7k3m5n8p2q4r6s9t0v1x
scopes org:admin billing:read
status active

Membership changes are reflected on the next login, refresh, or userinfo call; existing access tokens remain bounded by their configured lifetime.

Tenant record

business / nonprofit / government

A stable org_ ID with business type, contact data, custom fields, metadata, member limits, and status.

Memberships

users + agents

Users and agents join organizations with their own scopes, titles, metadata, and active or suspended status.

Enterprise access

invitations + SSO

Invitation flows, verified SSO domains, SSO-only enforcement, MFA policy, and default member scopes live with the organization.

Lifecycle contract

events emitted

Suspend to remove org claims from newly issued tokens; delete to cascade memberships, invitations, SSO config, and org API keys.

Events
organization.created organization.membership.created organization.sso.domain-verified organization.suspended

Sign-in, on open standards

Every way to sign in, every one a standard

Social for consumers, enterprise SSO for B2B, passkeys for the security-conscious: any combination. Each method rides an open protocol, so your existing tools work and switching providers never strands your integration code.

OAuth 2.0

Social logins

Google, GitHub, Microsoft, Apple. Users sign in with accounts they already have.

OIDC

Enterprise SSO

Connect Okta, Azure AD, or any OIDC provider. Your enterprise customers expect it.

WebAuthn

Passkeys

No passwords, no phishing. Syncs across all their devices, backed by the platform authenticator.

Passwordless

Magic links

One click in their inbox, they're signed in. Simple, secure, no password to forget.

Argon2id

Passwords

When you need them. Industry-leading hashing, breach detection, strength requirements.

MFA

Two-factor auth

TOTP codes from any authenticator app, plus backup codes for recovery.

OAuth 2.0
RFC 6749
OIDC Core 1.0
OpenID
OIDC Discovery
OpenID
PKCE
RFC 7636
JWT
RFC 7519
JWK
RFC 7517
CloudEvents 1.0
CNCF
WebAuthn
W3C

Access for code

Credentials for the code calling your APIs

Pick by destination first: org API keys manage AuthPI, M2M clients mint OAuth tokens for your own APIs, and personal tokens let users run scripts as themselves.

Calling AuthPI?

key_

Org API keys

Use for the Core API

Backend services, CI jobs, and scripts manage AuthPI resources such as users, issuers, clients, webhooks, and organizations.

HTTP Basic
Core API scopes
Rotate / block / revoke

Calling your APIs?

c_

M2M clients

Use for service-to-service auth

One of your systems exchanges client credentials for a standard OAuth access token that your APIs can verify locally.

client_credentials
JWT access token
30 min default lifetime

Acting as a user?

ptk_

Personal tokens

Use for user-owned automation

CLI tools, local scripts, and integrations act as a specific user without exposing the user's primary credentials.

JWT bearer token
Returned once
Revocable / expiring

These credentials compose in production: a backend can hold an org API key to provision AuthPI resources and an M2M client to call internal APIs, while users keep personal tokens for their own scripts.

Session protection

Session security, on by default

Every session comes with rotating refresh tokens, reuse detection, device tracking, and configurable timeouts. When something looks wrong, AuthPI responds on its own and tells you through an event. None of it needs code on your side.

Stolen token detection

Refresh tokens rotate on every use. If one is presented twice, the session is killed immediately: a stolen token is a dead token.

Device fingerprinting

Each session records the device it runs on, so unusual access stands out before it becomes an incident.

Session timeouts

Idle timeouts, absolute lifetimes, or activity-based extension. Your policy, enforced automatically by the issuer.

Instant revocation

One API call logs a user out everywhere. One call revokes an organization's sessions. Incident response without a runbook.

a stolen refresh token is replayed automatic response
  1. Reuse detected

    An already-rotated refresh token is presented a second time.

  2. Session terminated

    s_01j5k8m9n2 is revoked and every token issued to it is invalidated. The attacker holds a dead token.

  3. EVENT session.compromised

    Delivered to your webhook with the session and user in the payload, ready for your incident tooling.

The identity graph

One boundary, three kinds of actors

Everything lives inside an issuer: one user pool, one token endpoint, your domain. Organizations partition it per customer, and each kind of actor gets credentials shaped to how it behaves: humans hold sessions, services hold longer-lived tokens, agents live five minutes at a time.

i_4r8w2k9m5x1p7q · issuer boundary one user pool · token endpoint · JWKS
org_

Organization

Your customer's tenant: members, groups, invitations, and org-scoped API keys (key_) with scope and IP-allowlist restrictions.

usr_

Humans

Sign in and stay signed in.

  • Sessions with rotating refresh tokens
  • Passkeys, WebAuthn, MFA, magic links
  • Personal tokens (ptk_) for their own scripts
c_

Services

Deterministic code calling your APIs.

  • OAuth client_credentials, confidential clients only
  • 30-minute tokens by default, configurable
  • Scopes narrowed per request, secrets rotatable
agt_

AI agents

Autonomous, so trusted five minutes at a time.

  • 5-minute tokens, no refresh token issued
  • Scope subset and audience pinned at mint
  • Every token mint recorded as an audit event
CloudEvents

One event pipeline across the graph

Every actor's state changes, lifecycle transitions, and security signals are persisted as events. Webhooks subscribe to exact event types and keep delivery records for retries and debugging.

user.created organization.updated api-key.created agent.verifier.added webhook.updated session.compromised

API, SDKs, and docs

Keep identity management in your product code.

Everything AuthPI does is reachable through the API, wrapped in typed SDKs for TypeScript and Python, and documented for you and for the coding agents working alongside you.

import { AuthPIAdmin } from "@authpi/admin";

const admin = new AuthPIAdmin({
  apiKey: { id: process.env.AUTHPI_KEY_ID!, secret: process.env.AUTHPI_KEY_SECRET! },
  accountId: process.env.ACCOUNT_ID!,
});
const iss = admin.issuer(process.env.ISSUER_ID!);

// A customer and an agent, three calls.
const org = await iss.organizations.create({ name: "Acme", org_type: "business" });

const agent = await iss.agents.create({
  name: "Support triage agent",
  scopes: ["tickets:read", "tickets:triage"],
});

await iss.agent(agent.id).verifiers.create({ type: "secret", name: "primary" });

// The agent authenticates with standard client_credentials at runtime.
from authpi_admin import AuthPIAdmin

async with AuthPIAdmin(api_key=(KEY_ID, KEY_SECRET), account_id=ACCOUNT_ID) as admin:
    iss = admin.issuer(ISSUER_ID)

    # A customer and an agent, three calls.
    org = await iss.organizations.create({"name": "Acme", "org_type": "business"})

    agent = await iss.agents.create({
        "name": "Support triage agent",
        "scopes": ["tickets:read", "tickets:triage"],
    })

    await iss.agent(agent.id).verifiers.create({"type": "secret", "name": "primary"})

    # The agent authenticates with standard client_credentials at runtime.

Real @authpi/admin · authpi-admin calls generated from the Core API schema.

Events and webhooks

Every matching account event can trigger a webhook.

AuthPI emits events for users, sessions, organizations, clients, API keys, agents, accounts, and webhooks. Active subscriptions receive matching account events as CloudEvents payloads, with delivery attempts stored for debugging and audit.

Delivery log last 5
user.created
evt_01J5K8M9N2 attempt 1/1 ✓ delivered
organization.membership.created
evt_01K7N3P5R8 attempt 1/1 ✓ delivered
session.compromised
evt_01M9Q2S5U8 attempt 2/3 retrying
api-key.created
evt_01N2R5T8V1 attempt 1/1 ✓ delivered
organization.invitation.accepted
evt_01P4T7W0Y3 attempt 1/1 ✓ delivered
user.created authpi-signature verified
 
Delivery
Persisted attempts
Auth
Bearer or HMAC
Retries
40 by default
Format
CloudEvents 1.0

Runtime and data

Global sign-in.
Your deploy list stays empty.

Auth for users, organizations, services, and agents answers from the location nearest each request. OAuth, token issuance, JWKS. You ship to one place, which is nowhere in particular.

  • Stand up regional infrastructure
  • Replicate the user store
  • Pick where identity data lives
  • Configure data residency
  • Route sign-ins by geography

AuthPI does all of it. One issuer, worldwide.

Read how the global identity mesh works

Use cases

Three products this was built around

From a single API to a multi-party platform, the same primitives model people, services, and AI agents.

API-first SaaS

Multi-Tenant

Your product is an API whose customers are companies. Organizations, memberships, and scoped keys are built-in primitives, so you add multi-tenancy in days, not quarters.

  • Organizations & memberships
  • Domain auto-join onboarding
  • Webhook-driven provisioning
  • Org-scoped API keys

Developer platforms

Multi-Party

You host other people's services and integrations. Dedicated identity per tenant, machine-to-machine auth, and per-party event routing with full isolation.

  • One issuer per tenant
  • M2M credentials built in
  • Events routed per party
  • Complete data isolation

AI-native products

Human + Machine

People and agents both call your API. Give each AI agent its own identity, scopes, organization membership, and audit trail instead of borrowing a user account or sharing an API key.

  • First-class agent IDs
  • Five-minute agent tokens
  • Per-agent secret credentials
  • Agent audit events

Get started

One API. Every identity. Free to start.

Create an account, grab your API keys, and model users, organizations, services, and agents in one system. No credit card, no sales calls.

  • 60-day free trial
  • No credit card required
  • Every feature included