AuthPI Identity Provider API
Version 0.1.0 — base URL https://idp.authpi.com. Fetch the raw OpenAPI spec (JSON).
Endpoints
- Discovery — 3 operations. Discovery endpoints for OpenID Connect and OAuth 2.0 configuration.
- Authorization — 2 operations. Authorization endpoints for initiating OAuth 2.0 and OpenID Connect flows.
- Token — 1 operations. Token endpoints for exchanging authorization codes for tokens and refreshing access tokens.
- User Info — 1 operations. OpenID Connect UserInfo endpoint for retrieving claims about the authenticated user.
- Token Management — 2 operations. Endpoints for token lifecycle management including introspection (RFC 7662) and revocation (RFC 7009).
- Session Management — 4 operations. Session management endpoints for monitoring and controlling user sessions.
- API Keys — 1 operations. Endpoints: Get API Key Info
- OpenID Connect — 2 operations. Endpoints: Logout, Logout
- Extensions — 1 operations. Endpoints: get_VerifyEmail
- Consent Management — 1 operations. Endpoints: Revoke Consent
- SSO — 1 operations. Endpoints: Discover SSO for Email
About this API
The AuthPI Identity Provider (IdP) API implements the OAuth 2.0 and OpenID Connect (OIDC) specifications, providing a complete solution for user authentication, authorization, and identity management.
Overview
This API enables you to:
- Authenticate users via the Authorization Code flow with PKCE
- Issue tokens including access tokens, refresh tokens, and ID tokens (JWT)
- Manage sessions with full session lifecycle support
- Verify tokens through introspection and revocation endpoints
Issuers and Multi-Tenancy
All endpoints are scoped to an Issuer, which is your identity provider within AuthPI. An Issuer is the central configuration hub that controls:
- Authentication methods - Password, magic links, social login (OAuth), passkeys, MFA
- Signup policies - Email verification, domain restrictions, admin approval
- Session management - Lifetimes, idle timeouts, device fingerprinting
- Security policies - Redirect URI rules, CORS origins, refresh token settings
Each Issuer has its own isolated user pool. Users in one Issuer are completely separate from users in another. Most customers create one Issuer per application or environment (production, staging).
Issuer URL Pattern
All API endpoints are prefixed with the Issuer ID:
https://idp.authpi.com/{issuer_id}/authorize
https://idp.authpi.com/{issuer_id}/token
https://idp.authpi.com/{issuer_id}/userinfo
The {issuer_id} uniquely identifies your Issuer and is obtained from your AuthPI Console.
Global Identity Mesh
AuthPI runs on a distributed global architecture. User data is stored in Identity Stores distributed across the globe, with automatic routing based on data residency policies. This means:
- Sub-50ms authentication latency - Users authenticate against infrastructure geographically close to them
- Automatic data residency - EU users' data stays in Europe, US users' data stays in North America
- Built-in compliance - GDPR, LGPD, and other regulations satisfied by default
Authentication Flow
The API supports the Authorization Code flow with PKCE (RFC 7636), which is the recommended flow for all client types:
- Redirect users to the
/{issuer_id}/authorize endpoint
- User authenticates and consents
- Exchange the authorization code for tokens at the
/{issuer_id}/token endpoint
PKCE is required for public clients (SPAs, mobile apps) and recommended for all clients. Only the S256 challenge method is supported.
Rate Limiting
API requests are rate-limited to ensure fair usage. When rate-limited, you'll receive a 429 Too Many Requests response with a Retry-After header.
Support
For questions or support, contact us at contact@authpi.com or visit our documentation.