How AuthPI's distributed architecture delivers global compliance and low-latency authentication without complexity.
Last updated 2026-06-11
AuthPI is built on the idea that identity infrastructure should be global by default. Users shouldn’t experience latency because they’re far from your servers. Your compliance team shouldn’t have to manage data residency manually. And you shouldn’t need to deploy and maintain identity services across multiple regions yourself.
The Global Identity Mesh is how we make this happen.
Most identity providers follow a familiar pattern: your user data lives in a single region (usually US or EU), and every authentication request travels to that region, gets processed, and returns. This creates several problems:
Latency for global users. A user in Singapore authenticating against a US-based identity provider experiences 200-300ms of network latency before any processing even begins. For login flows that involve multiple round-trips (MFA, consent screens, token exchange), this adds up to a noticeably slow experience.
Manual data residency. If you need EU users’ data to stay in the EU (for GDPR) and Australian users’ data to stay in Australia (for local regulations), you’re typically looking at deploying separate identity provider instances per region, building routing logic, and maintaining synchronization. Some providers offer “data residency” as an enterprise feature that requires manual configuration per tenant.
Single points of failure. A regional outage in your identity provider’s primary region affects all your users globally, even if they’re on the other side of the world from the problem.
AuthPI takes a fundamentally different approach. Instead of centralizing identity data and routing all requests to it, we distribute identity storage across the globe and route users to the nearest store automatically.
When a user signs up or first authenticates through AuthPI, we determine the appropriate geographic location for their identity data based on configurable rules (more on this below). Their identity is then stored in an Identity Store in that location.
From that point forward, all authentication operations for that user happen at their local Identity Store. Password verification, session management, MFA validation, token issuance—everything happens at the edge, close to the user.
A privacy-preserving index enables this routing without centralizing sensitive data. When a user attempts to authenticate, we can determine which Identity Store holds their data without exposing that data to any central system. The index contains only the minimum information needed for routing decisions.
Sub-50ms authentication latency. Users authenticate against infrastructure that’s geographically close to them. No cross-continental round-trips for every login.
Automatic data residency. Configure your data residency policies once, and AuthPI handles the rest. EU users’ data stays in Europe. US users’ data stays in North America. Australian users’ data stays in Australia. You don’t manage regional deployments or routing rules.
Compliance without complexity. GDPR, LGPD, PIPL, and other data residency regulations are satisfied by default. When auditors ask “where is this user’s data stored?”, the answer is straightforward: in the region you specified.
Resilience built in. Regional issues don’t cascade globally. Users in unaffected regions continue authenticating normally while problems are resolved.
AuthPI runs entirely on Cloudflare’s global network, which spans over 300 cities across 100+ countries. This isn’t just about CDN caching—our core identity infrastructure executes at the edge.
When you use AuthPI, your users’ authentication requests are handled by compute that’s typically within 50ms of their location. There’s no “origin server” in a single region that everything funnels through. The edge is the infrastructure.
This architecture gives us properties that are difficult to achieve with traditional cloud deployments:
You control where user data is stored through data residency policies configured at the Issuer level. Policies can be based on:
Geographic detection. Store users in the region they sign up from. A user signing up from Germany gets their identity stored in Europe; a user signing up from Japan gets theirs stored in Asia-Pacific.
Explicit assignment. Specify the region when creating users via API. Useful when you know a user’s data residency requirements upfront (e.g., enterprise customers with contractual requirements).
Domain-based rules. Route users based on email domain or other attributes. All @company.eu users go to Europe; all @company.com users go to North America.
These policies are evaluated once—at user creation—and the assignment is permanent. This ensures data doesn’t inadvertently move between regions (which would create compliance complications).
A natural question arises: if user data is distributed globally, how do you know where to route an authentication request?
Traditional approaches would maintain a central database mapping usernames to regions. But that centralizes sensitive data (the fact that a username exists, and where their data is stored), which undermines the compliance benefits of distribution.
AuthPI uses a privacy-preserving edge index that solves this differently. The index allows routing decisions without revealing which users exist or where their data is stored to any single system. The technical details are proprietary, but the properties are:
The result is that even AuthPI’s internal systems can’t trivially enumerate all users across all regions—because that enumeration capability doesn’t exist by design.
Users experience fast, reliable authentication regardless of where they are:
You integrate with AuthPI’s standard OAuth 2.0 / OIDC endpoints. The global distribution is transparent:
Authorization endpoint: https://idp.authpi.com/{issuer_id}/authorize
Token endpoint: https://idp.authpi.com/{issuer_id}/token
UserInfo endpoint: https://idp.authpi.com/{issuer_id}/userinfoThese URLs work globally. Cloudflare routes requests to the nearest point of presence, which then routes to the appropriate Identity Store. You don’t maintain regional endpoints or add routing logic to your application.
Data residency is demonstrable and auditable:
When preparing for compliance audits, you can show that EU users’ data never leaves Europe, US users’ data never leaves North America, and so on—because that’s how the system is architecturally designed, not just how it’s configured.
The Global Identity Mesh works seamlessly with AuthPI’s Organizations feature for multi-tenant applications.
Per-organization residency. You can configure organizations to have their own data residency rules, separate from your default issuer policy. Enterprise customers who need data in specific regions get exactly that.
Membership across regions. Users can belong to multiple organizations even if those organizations have different data residency requirements. The user’s identity data stays in one place; only membership records exist in the organization’s region.
Consistent experience. Whether your customer has 5 users or 50,000, whether they’re in one region or spread globally, the authentication experience is consistent and fast.
The Global Identity Mesh delivers consistent performance regardless of scale or geography:
| Operation | Typical Latency | Notes |
|---|---|---|
| Password verification | 20-40ms | Local to Identity Store |
| Session validation | 5-15ms | Edge-cached session state |
| Token issuance | 30-50ms | Includes cryptographic operations |
| MFA verification | 20-40ms | Local to Identity Store |
These latencies are measured from the edge, so the total user-perceived latency is these numbers plus the network latency from the user to their nearest Cloudflare point of presence (typically 10-30ms for most of the world’s population).
| Aspect | Traditional Identity Provider | AuthPI Global Identity Mesh |
|---|---|---|
| Latency | Varies by distance from region (50-300ms) | Consistent globally (~30-50ms) |
| Data residency | Manual regional deployment or enterprise feature | Automatic, policy-based |
| Regional failures | Global impact | Localized impact |
| Setup complexity | Higher for global deployment | Single integration, global by default |
| Compliance proof | Configuration-based claims | Architecture-based guarantees |
The Global Identity Mesh provides the most value when:
Your users are global. If your user base spans multiple continents, traditional identity providers create inconsistent experiences. Users closer to the data center have fast logins; users far away have slow ones. With AuthPI, everyone gets fast logins.
You have data residency requirements. Whether driven by regulations (GDPR, LGPD), customer contracts (enterprise deals requiring specific regions), or company policy, AuthPI handles data residency without operational overhead.
You’re scaling rapidly. Adding users in new geographies doesn’t require deploying new infrastructure or updating routing rules. The mesh expands automatically.
Authentication is in your critical path. If slow logins impact user experience, conversion, or core workflows, consistent low-latency authentication directly affects your metrics.
The Global Identity Mesh is not a feature you enable—it’s how AuthPI works by default. When you create an Issuer, you configure your data residency policy, and the mesh handles the rest.
To get started:
Your users will automatically be routed to the nearest Identity Store, and their data will be stored according to your policies—no additional integration work required.