For API-first and AI-native teams

Identity infrastructure for APIs and AI agents.

AuthPI gives API-first and AI-native teams one identity system for users, organizations, services, and agents. Manage multi-tenancy, scoped credentials, agent access, and event-driven webhooks through a single API.

identity sequence api.authpi.com
  1. POST /v1/accounts/{account_id}/issuers/{issuer_id}/organizations
    201 org_0kfz3m8q1w5e9r2t6y4u7i3o5 organization created
  2. POST /v1/accounts/{account_id}/issuers/{issuer_id}/organizations/{org_id}/invitations
    202 inv_8d2f0kfz3m8q1w5e9r2t6y4u7 member invited
  3. POST /v1/accounts/{account_id}/issuers/{issuer_id}/organizations/{org_id}/api-keys
    201 key_7f3a9c2d4e5f67890123456789abcdef org-scoped key issued
  4. POST /v1/accounts/{account_id}/issuers/{issuer_id}/agents
    201 agt_7c1de2f3a4b5c6d7e8f9a0b1c2d3e4f5 AI agent identity created
  5. EVENT user.created
    evt_01J5K8M9N2 delivered to your webhook
Built on OAuth 2.0 Client Credentials OpenID Connect PKCE JWT / RS256 WebAuthn CloudEvents 1.0 OpenAPI 3.1

How the model works

How users, organizations, and agents relate

Users belong to organizations, services authenticate with scoped credentials, and AI agents get their own identities instead of borrowing user accounts or sharing service keys. Every identity action becomes an auditable event. AuthPI keeps this in one model, not a set of disconnected services you stitch together.

identity topology i_4r8w2k9m5x1p7q
i_4r8w2k9m5x1p7q · issuer boundary membership user on behalf of OAuth 2.0 / OIDC user.created client_spa application org_...i3o5 organization usr_jane user usr_amir user key_...cdef API key · org ptk_...89ab personal token agt_...e4f5 agent · machine your webhook event consumer

Managed through the API

Keep identity management in your product code.

Use the Core API to provision customers, mint organization keys, and give agents their own credentials. At runtime, your products use OAuth/OIDC endpoints; downstream systems follow changes from events and webhooks.

Provision

Create organizations, invitations, API keys, webhooks, clients, and agents through the Core API.

Run

User apps, M2M clients, and agents authenticate against issuer runtime endpoints with OAuth 2.0 and OIDC.

Observe

Events cover mutations across the system, and webhooks deliver the changes your integration subscribes to.

Integrate

OpenAPI-backed TypeScript and Python Admin SDKs keep examples close to the API shape.

import { AuthPIAdmin } from "@authpi/admin";

const admin = new AuthPIAdmin({
  apiKey: { id: process.env.AUTHPI_KEY_ID!, secret: process.env.AUTHPI_KEY_SECRET! },
  accountId: process.env.ACCOUNT_ID!,
});

const iss = admin.issuer(process.env.ISSUER_ID!);

// Provision the customer model your product already knows about.
const org = await iss.organizations.create({ name: "Acme", org_type: "business" });

await iss.organization(org.id).invitations.create({
  email_invited: "amir@acme.com",
  scopes: ["member"],
});

const key = await iss.organization(org.id).apiKeys.create({
  name: "Billing sync",
  type: "api_key",
  restrictions: { scopes: ["issuers.users:read", "events:read"] },
});

const agent = await iss.agents.create({
  name: "Support triage agent",
  scopes: ["tickets:read", "tickets:triage"],
});

const verifier = await iss.agent(agent.id).verifiers.create({
  type: "secret",
  name: "primary",
});

// The agent uses standard client_credentials at runtime.
// Mutations are available through the events API and subscribed webhooks.
from authpi_admin import AuthPIAdmin

async with AuthPIAdmin(api_key=(KEY_ID, KEY_SECRET), account_id=ACCOUNT_ID) as admin:
    iss = admin.issuer(ISSUER_ID)

    # Provision the customer model your product already knows about.
    org = await iss.organizations.create({"name": "Acme", "org_type": "business"})

    await iss.organization(org.id).invitations.create({
        "email_invited": "amir@acme.com",
        "scopes": ["member"],
    })

    key = await iss.organization(org.id).api_keys.create({
        "name": "Billing sync",
        "type": "api_key",
        "restrictions": {"scopes": ["issuers.users:read", "events:read"]},
    })

    agent = await iss.agents.create({
        "name": "Support triage agent",
        "scopes": ["tickets:read", "tickets:triage"],
    })

    verifier = await iss.agent(agent.id).verifiers.create({
        "type": "secret",
        "name": "primary",
    })

    # The agent uses standard client_credentials at runtime.
    # Mutations are available through the events API and subscribed webhooks.

Real @authpi/admin · authpi-admin calls generated from the Core API schema.

Core primitives

One API for users, organizations, services, and agents

AuthPI models users, organizations, services, and AI agents as API-managed primitives. Each one is scoped, observable, and flows through the same event pipeline.

usr_

Human identity

Users, sessions, verifiers, MFA, passkeys, and a branded portal for profile and credential management.

Users API Sessions Verifiers Portal
i_ / org_

Multi-tenancy primitives

Issuers, organizations, memberships, domains, and SSO model your customers without bolting tenant logic onto user auth.

Issuers Organizations Members SSO
agt_

Agent identity

First-class agt_ identities for AI agents and bots, with their own scopes, verifiers, organization memberships, and audit trail.

Agents API Verifiers Scopes Memberships
key_ / c_

Service access

Org API keys for managing AuthPI resources, and OAuth client_credentials for services calling your own APIs.

API Keys Clients Token endpoint Scopes
ptk_

User-owned access

Personal access tokens let users connect CLI tools, scripts, and automations while you define the scopes they can request.

Personal Tokens Scopes Revocation Usage events
std

Runtime standards

OAuth 2.0, OpenID Connect, JWTs, JWKS, PKCE, WebAuthn, and OpenAPI specs where your APIs expect them.

OIDC JWKS WebAuthn OpenAPI 3.1
CloudEvents

One event pipeline across the model

State changes, lifecycle transitions, and security signals are persisted as events. Webhooks subscribe to exact event types and keep delivery records for retries and debugging.

user.created organization.updated api-key.created agent.verifier.added webhook.updated session.compromised

Runtime and data

Global sign-in.
Your deploy list stays empty.

Auth for users, organizations, services, and agents answers from the location nearest each request. OAuth, token issuance, JWKS. You ship to one place, which is nowhere in particular.

Read how the global identity mesh works
  • stand up regional infrastructure
  • replicate the user store
  • pick where identity data lives
  • configure data residency
  • route sign-ins by geography

AuthPI does all of it. one issuer, worldwide.

Sign-in options

Let users sign in however they want

Any combination. Social for consumers, enterprise SSO for B2B, passkeys for the security-conscious.

OAuth 2.0 RFC 6749

Social logins

Google, GitHub, Microsoft, Apple. Users sign in with accounts they already have.

OIDC OpenID Connect

Enterprise SSO

Connect Okta, Azure AD, or any OIDC provider. Your enterprise customers expect it.

WebAuthn FIDO2

Passkeys

No passwords, no phishing. Syncs across all their devices, backed by the platform authenticator.

Passwordless Email OTP

Magic links

One click in their inbox, they're signed in. Simple, secure, no password to forget.

Argon2id OWASP

Passwords

When you need them. Industry-leading hashing, breach detection, strength requirements.

MFA RFC 6238

Two-factor auth

TOTP codes from any authenticator app, plus backup codes for recovery.

Access for code

Credentials for the code calling your APIs

Pick by destination first: org API keys manage AuthPI, M2M clients mint OAuth tokens for your own APIs, and personal tokens let users run scripts as themselves.

Calling AuthPI?

key_

Org API keys

Use for the Core API

Backend services, CI jobs, and scripts manage AuthPI resources such as users, issuers, clients, webhooks, and organizations.

HTTP Basic
Core API scopes
Rotate / block / revoke

Calling your APIs?

c_

M2M clients

Use for service-to-service auth

One of your systems exchanges client credentials for a standard OAuth access token that your APIs can verify locally.

client_credentials
JWT access token
30 min default lifetime

Acting as a user?

ptk_

Personal tokens

Use for user-owned automation

CLI tools, local scripts, and integrations act as a specific user without exposing the user's primary credentials.

JWT bearer token
Returned once
Revocable / expiring

These credentials compose in production: a backend can hold an org API key to provision AuthPI resources and an M2M client to call internal APIs, while users keep personal tokens for their own scripts.

Events and webhooks

Every matching account event can trigger a webhook.

AuthPI emits events for users, sessions, organizations, clients, API keys, agents, accounts, and webhooks. Active subscriptions receive matching account events as CloudEvents payloads, with delivery attempts stored for debugging and audit.

Delivery log last 5
user.created
evt_01J5K8M9N2 attempt 1/1 ✓ delivered
organization.membership.created
evt_01K7N3P5R8 attempt 1/1 ✓ delivered
session.compromised
evt_01M9Q2S5U8 attempt 2/3 retrying
api-key.created
evt_01N2R5T8V1 attempt 1/1 ✓ delivered
organization.invitation.accepted
evt_01P4T7W0Y3 attempt 1/1 ✓ delivered
user.created authpi-signature verified
 
Delivery
Persisted attempts
Auth
Bearer or HMAC
Retries
40 by default
Format
CloudEvents 1.0

Your customer model

Multi-tenancy built into the identity model

Organizations are the boundary for B2B customers, workspaces, departments, and teams. They carry members, agents, scopes, SSO configuration, invitations, metadata, and lifecycle events in one API model.

Token context

Tokens carry organization context

When a user or agent acts inside a customer tenant, AuthPI issues organization context with the token. Your API authorizes against the org, member, scopes, and membership status it receives.

org org_0kfz3m8q1w5e9r2t6y4u7i3o5
member usr_01j4h7k3m5n8p2q4r6s9t0v1x
scopes org:admin billing:read
status active

Membership changes are reflected on the next login, refresh, or userinfo call; existing access tokens remain bounded by their configured lifetime.

Tenant record

business / nonprofit / government

A stable org_ ID with business type, contact data, custom fields, metadata, member limits, and status.

Memberships

users + agents

Users and agents join organizations with their own scopes, titles, metadata, and active or suspended status.

Enterprise access

invitations + SSO

Invitation flows, verified SSO domains, SSO-only enforcement, MFA policy, and default member scopes live with the organization.

Lifecycle contract

events emitted

Suspend to remove org claims from newly issued tokens; delete to cascade memberships, invitations, SSO config, and org API keys.

Events
organization.created organization.membership.created organization.sso.domain-verified organization.suspended

Session protection

Session security, on by default

Every session comes with rotating refresh tokens, reuse detection, device tracking, and configurable timeouts. When something looks wrong, AuthPI responds on its own and tells you through an event. None of it needs code on your side.

Stolen token detection

Refresh tokens rotate on every use. If one is presented twice, the session is killed immediately: a stolen token is a dead token.

Device fingerprinting

Each session records the device it runs on, so unusual access stands out before it becomes an incident.

Session timeouts

Idle timeouts, absolute lifetimes, or activity-based extension. Your policy, enforced automatically by the issuer.

Instant revocation

One API call logs a user out everywhere. One call revokes an organization's sessions. Incident response without a runbook.

a stolen refresh token is replayed automatic response
  1. Reuse detected

    An already-rotated refresh token is presented a second time.

  2. Session terminated

    s_01j5k8m9n2 is killed and every refresh token for the user is invalidated. The attacker holds a dead token.

  3. EVENT session.compromised

    Delivered to your webhook with the session and user in the payload, ready for your incident tooling.

Who it is for

Built for API-first and AI-native teams

From a single API to a multi-party platform, the same primitives model people, services, and AI agents.

API-first SaaS

Multi-Tenant

Your product is an API whose customers are companies. Organizations, memberships, and scoped keys are built-in primitives, so you add multi-tenancy in days, not quarters.

  • Organizations & memberships
  • Domain auto-join onboarding
  • Webhook-driven provisioning
  • Org-scoped API keys

Developer platforms

Multi-Party

You host other people's services and integrations. Dedicated identity per tenant, machine-to-machine auth, and per-party event routing with full isolation.

  • One issuer per tenant
  • M2M credentials built in
  • Events routed per party
  • Complete data isolation

AI-native products

Human + Machine

People and agents both call your API. Give each AI agent its own identity, scopes, organization membership, and audit trail instead of borrowing a user account or sharing an API key.

  • First-class agent IDs
  • Five-minute agent tokens
  • Per-agent secret credentials
  • Agent audit events

Standards underneath

Open standards, no lock-in

Standard protocols mean your existing tools just work. Switch providers anytime and your integration code stays the same.

OAuth 2.0
RFC 6749
OIDC Core 1.0
OpenID
OIDC Discovery
OpenID
PKCE
RFC 7636
JWT
RFC 7519
JWK
RFC 7517
CloudEvents 1.0
CNCF
WebAuthn
W3C

Metadata everywhere

Attach JSON to any resource: users, organizations, sessions. Store your Stripe ID, Salesforce ID, whatever you need.

OpenAPI spec

Full API reference you can import into Postman, Insomnia, or your code generator of choice.

TypeScript types

Every request and response fully typed. Catch integration bugs at compile time, not runtime.

Get started

One API. Every identity. Free to start.

Create an account, grab your API keys, and model users, organizations, services, and agents in one system. No credit card, no sales calls.

  • 60-day free trial
  • No credit card required
  • Every feature included