Issuers — Core API

Lists all issuers belonging to an account with pagination.

Returns issuers in descending order by creation date (newest first). Use this endpoint to:

• View all identity providers in your account
• Monitor issuer status across environments (production, staging)
• Get issuer IDs for subsequent API calls

Tip: Most accounts have one issuer per environment (e.g., production, staging). If you need users to have a single identity across multiple applications, use one issuer with multiple clients instead of multiple issuers.

Creates a new Issuer within an account.

An Issuer is your identity provider in AuthPI. Each issuer maintains an isolated user pool and can be configured with:

• Authentication methods - Enable password, magic links, OAuth/social login, or passkeys
• Signup policies - Control who can register (open, invite-only, domain restrictions)
• Session settings - Configure token lifetimes, idle timeouts, and device fingerprinting
• Branding - Customize hosted login pages with your logo and colors

Common patterns:

• One issuer per environment - Create separate issuers for production, staging, and development
• One issuer per application - If applications require separate user bases
• Shared issuer - Multiple applications sharing one user pool (use multiple clients within one issuer)

After creating an issuer, you'll need to create at least one OAuth Client to authenticate users.

Retrieves the full configuration of an issuer by its ID.

An Issuer is your identity provider within AuthPI. This endpoint returns all issuer settings including:

• Authentication methods - Configured login methods (password, magic links, OAuth, passkeys)
• Signup policies - Email verification, domain restrictions, admin approval settings
• Session settings - Lifetimes, idle timeouts, device fingerprinting
• Security policies - Redirect URI rules, CORS origins, token settings
• Branding - Display name, logo, theme colors for hosted login pages

Use this endpoint to inspect issuer configuration or verify settings after updates.

Updates an issuer's configuration.

Use this endpoint to modify any issuer setting. All fields in the request body are optional - only include the fields you want to change.

Configurable settings include:

• Authentication methods - Add/remove login methods, configure MFA requirements
• Signup policies - Change registration mode, update domain restrictions
• Session settings - Adjust token lifetimes, enable/disable features
• Branding - Update display name, logo, or theme colors
• Security policies - Modify redirect URI rules, CORS origins

Important: Some changes may affect active users:

• Disabling an authentication method won't log out users, but they can't use that method next login
• Reducing session lifetime affects new sessions only, not existing ones
• Changing signup policies takes effect immediately for new registrations

Deletes an issuer (soft delete).

This performs a soft delete - the issuer is marked as deleted but data is retained for a grace period. During this period:

• Users cannot authenticate - All login attempts will fail
• API access is blocked - Calls to this issuer's endpoints return 404
• Data is preserved - User data, sessions, and audit logs are retained
• Recovery is possible - Contact support to restore within the grace period

Before deleting:

1. Ensure no production applications depend on this issuer
2. Migrate users if needed (export user data first)
3. Revoke any active sessions to log out users immediately

After deletion:

• Associated OAuth clients are also soft-deleted
• Webhook subscriptions are deactivated
• User data is scheduled for permanent deletion after the grace period

Lists all authentication methods configured for an issuer.

Authentication methods define how users can sign in to your application. Each method can be enabled or disabled for login and signup independently.

Method types include:

• password - Traditional username/password authentication
• email_link - Passwordless magic links sent via email
• email_otp - One-time passwords sent via email
• passkey - WebAuthn/FIDO2 biometric and security key authentication
• totp - Time-based one-time passwords (authenticator apps)
• oidc - OpenID Connect providers (Google, Microsoft, etc.)
• oauth2 - Generic OAuth 2.0 providers
• apple - Sign in with Apple
• github - GitHub OAuth

Each method has its own settings specific to that authentication type.

Creates a new authentication method for an issuer.

Method types:

• password - Traditional username/password. Only one allowed per issuer.
• email_link - Passwordless magic links. Only one allowed per issuer.
• email_otp - Email one-time passwords. Only one allowed per issuer.
• passkey - WebAuthn/FIDO2 authentication. Multiple allowed.
• totp - Time-based OTP (authenticator apps). Only one allowed per issuer.
• backup_codes - Recovery codes. Only one allowed per issuer.
• oidc - OpenID Connect (Google, Microsoft, Auth0). Multiple providers allowed.
• oauth2 - Generic OAuth 2.0. Multiple providers allowed.
• apple - Sign in with Apple. Multiple allowed.
• github - GitHub OAuth. Multiple allowed.

Required settings by method:

• oidc: issuer_url, client_id, client_secret
• oauth2: provider, client_id, client_secret, redirect_uri
• apple: client_id, team_id, key_id, private_key
• github: client_id, client_secret

Other methods have optional settings.

Retrieves a specific authentication method by ID.

Returns the full configuration for the authentication method including:

• Method type - The authentication mechanism (password, passkey, oidc, etc.)
• Display name - Human-readable name shown to users
• Status flags - Whether enabled for login/signup
• Settings - Method-specific configuration

Note: Sensitive settings like OAuth client secrets are not returned in the response.

Updates an existing authentication method.

Updatable fields:

• name - Display name shown to users
• enabled_login - Whether users can sign in with this method
• enabled_signup - Whether new users can register with this method
• featured - Whether to highlight this method in the login UI

Note: The method type and core settings (like OAuth client credentials) cannot be changed after creation. To change these, delete the method and create a new one.

Common operations:

• Disable a method temporarily: Set enabled_login: false
• Feature a new method: Set featured: true to highlight it
• Stop new signups: Set enabled_signup: false while keeping login enabled

Deletes an authentication method from an issuer.

Warning: This action is permanent and cannot be undone.

Before deleting, consider:

• Users who only have this authentication method will lose access
• Any OAuth integrations will stop working immediately
• If this is the only login method, no users will be able to sign in

Alternative: Instead of deleting, you can disable the method by setting enabled_login: false to prevent new logins while preserving the configuration.