# AuthPI

> AuthPI is an authentication and identity platform for applications and AI agents: per-tenant OIDC issuers, multi-organization tokens, hosted login portals, signed webhooks, org API keys, and non-human agent identities (x402 wallet/secret auth) — running on Cloudflare's edge with automatic data residency. Manage resources via the Core API (api.authpi.com, org API keys over HTTP Basic); authenticate users and agents via the IdP API (idp.authpi.com, standard OIDC/OAuth 2.0).

Every docs page has a markdown mirror: append `.md` to its URL. The full concatenated corpus is at https://authpi.com/llms-full.txt

## Getting Started

- [Register for an account](https://authpi.com/docs/getting-started/account.md): How to register for an AuthPI account.

## Quickstarts

- [Add authentication to a Next.js app](https://authpi.com/docs/quickstarts/nextjs.md): Add authentication to your [Next.js](https://nextjs.org) app with AuthPI — using the AuthPI SDK or any OIDC client library.
- [Add authentication to a Hono app](https://authpi.com/docs/quickstarts/hono.md): Add authentication to your [Hono](https://hono.dev) app with AuthPI — using the AuthPI SDK or any OIDC client library.
- [Server-side auth with the TypeScript SDK](https://authpi.com/docs/quickstarts/typescript-backend.md): Authenticate users in a Node.js backend with @authpi/idp — authorization-code flow with PKCE, callback handling, session refresh, and per-organization authorization, step by step.
- [Add authentication to a Cloudflare Worker](https://authpi.com/docs/quickstarts/cloudflare-workers.md): Protect a Cloudflare Workers API with AuthPI access tokens — JWT verification with jose, scope-based authorization, local testing, and deploy.
- [Give an AI agent an identity in 10 minutes](https://authpi.com/docs/quickstarts/agents.md): Create an agent identity, add a secret verifier, mint a five-minute OAuth token via client_credentials, and validate it in your API with jose.

## Core Concepts

- [Global Identity Mesh](https://authpi.com/docs/concepts/architecture.md): How AuthPI's distributed architecture delivers global compliance and low-latency authentication without complexity.
- [Issuers](https://authpi.com/docs/concepts/issuers.md): Learn what Issuers are, what they control, and how to configure them for your applications.
- [Users](https://authpi.com/docs/concepts/users.md): Learn how Users work in AuthPI, including authentication, profiles, sessions, and lifecycle management.
- [Introduction to AuthPI's Core Concepts](https://authpi.com/docs/concepts/overview.md): Understand the key concepts of AuthPI, including issuers, portals and protocols.
- [Organizations](https://authpi.com/docs/concepts/organizations.md): Learn how Organizations enable multi-tenancy, team management, and B2B features in AuthPI.
- [Clients](https://authpi.com/docs/concepts/clients.md): Learn how Clients represent your applications and enable OAuth 2.0/OIDC authentication flows.
- [Agent Identities](https://authpi.com/docs/concepts/agents.md): Agents are first-class non-human identities in AuthPI, distinct from users and API keys, with their own credentials, scopes, org memberships, and audit trail.
- [Events](https://authpi.com/docs/concepts/events.md): Complete reference of all events emitted by AuthPI for webhooks, audit logs, and integrations.
- [Credits & Billing](https://authpi.com/docs/concepts/credits-and-billing.md): Pay for AuthPI API usage on-chain with the x402 standard — no Stripe, no monthly invoice, just sign and ship.
- [Multi-Org Tokens](https://authpi.com/docs/concepts/multi-org-tokens.md): How AuthPI embeds active organization memberships in tokens, how selected-org tokens work, and how your resource server authorizes per org.

## Guides

- [Authenticate x402 agents with wallet verifiers](https://authpi.com/docs/guides/x402-agent-auth.md): Bind x402-paying wallets to stable agent identities — add CAIP-2 wallet verifiers, resolve a payer wallet to an agent, and scope what it may do.
- [Give an AI Agent Its Own Credentials](https://authpi.com/docs/guides/agent-identities.md): Create an AI agent identity in AuthPI, issue it a secret, authenticate with client_credentials, validate agent tokens, and manage its lifecycle.
- [Invite users to organizations](https://authpi.com/docs/guides/invitations.md): Create, send, and manage organization invitations with the AuthPI Core API — inviter attribution, the invitee journey, lifecycle states, resend semantics, and events.
- [Issue and manage API keys](https://authpi.com/docs/guides/api-keys.md): Create, scope, rotate, and revoke organization API keys for the AuthPI Core API — covering scopes, IP allowlists, expiry, and one-time secrets.
- [Machine-to-machine auth: API keys, clients, or agents](https://authpi.com/docs/guides/m2m-auth.md): Choose the right machine-to-machine credential on AuthPI — org API keys for the Core API, client_credentials for your own APIs, or agent identities.
- [Manage and revoke sessions](https://authpi.com/docs/guides/session-management.md): List, revoke, and suspend user sessions on AuthPI — log a user out everywhere, understand what revocation does to tokens, and the full kill-switch sequence for compromised accounts.
- [Metadata](https://authpi.com/docs/guides/metadata.md): Learn how to use metadata to store internal data on AuthPI resources.
- [Organization lifecycle & guarantees](https://authpi.com/docs/guides/org-lifecycle.md): The operational contract for AuthPI organizations — ID stability, suspension semantics, hard-delete cascade, and exactly when membership changes reach tokens.
- [Validate AuthPI tokens in your API](https://authpi.com/docs/guides/validate-tokens.md): Verify AuthPI access tokens in your backend with jose or PyJWT — signature checks via JWKS, issuer/audience validation, the at+jwt header, scope checks, and unknown-kid handling.
- [Webhooks](https://authpi.com/docs/guides/webhooks.md): Learn how to set up webhooks to receive real-time notifications about events in your AuthPI account.

## Reference

- [OIDC & OAuth 2.0 Compliance](https://authpi.com/docs/reference/oidc.md): Complete reference of OAuth 2.0 and OpenID Connect standards implemented by AuthPI.
- [Conditional Requests (ETags)](https://authpi.com/docs/reference/conditional-requests.md): Use ETags and the If-Match header for optimistic concurrency control — prevent silent data loss when multiple clients update the same resource.
- [Error codes](https://authpi.com/docs/reference/errors.md): Learn more about error codes returned by our APIs and how to handle them.
- [Idempotency](https://authpi.com/docs/reference/idempotency.md): Safely retry POST requests without creating duplicate resources using the Idempotency-Key header.
- [JWKS & Key Rotation](https://authpi.com/docs/reference/jwks-key-rotation.md): How AuthPI publishes and rotates JWT signing keys: the JWKS endpoint, monthly rotation cadence, the 45-day overlap guarantee, the enforced 21-day token-lifetime cap, caching headers, and unknown-kid handling.
- [Rate limits](https://authpi.com/docs/reference/rate-limits.md): Learn more about rate limits for our APIs and how to handle them.
- [Token Claims Reference](https://authpi.com/docs/reference/token-claims.md): Complete reference for AuthPI JWT claims: access, ID, and refresh token payloads, organization claims, aud precedence rules, and TTL configuration.

## SDKs

- [Admin SDK — Python](https://authpi.com/docs/sdks/admin-python.md): Manage AuthPI from Python backends with authpi-admin — async-first issuer, user, organization, and webhook management with typed models and auto-pagination.
- [Admin SDK — TypeScript](https://authpi.com/docs/sdks/admin-typescript.md): Manage AuthPI from TypeScript backends with @authpi/admin — issuers, users, organizations, webhooks, and API keys, with typed responses, retries, and auto-pagination.
- [IdP SDK — Python](https://authpi.com/docs/sdks/idp-python.md): Add AuthPI login to Python backends with authpi-idp — the OIDC authorization-code flow with PKCE, token refresh, and per-organization authorization checks.
- [IdP SDK — TypeScript](https://authpi.com/docs/sdks/idp-typescript.md): Add AuthPI login to TypeScript backends with @authpi/idp — the OIDC authorization-code flow with PKCE, client_credentials for M2M, token refresh, and per-organization authorization checks.

## ai

- [AuthPI for AI assistants and coding agents](https://authpi.com/docs/ai.md): How to consume AuthPI's documentation and integrate AuthPI programmatically — markdown mirrors, llms.txt, machine-readable specs, and a compact integration recipe.

## API References

### Core API reference

- [Core API overview](https://authpi.com/docs/reference/core-api/): every management endpoint — accounts, issuers, users, organizations, clients, webhooks, API keys
- [Core API reference (interactive)](https://authpi.com/docs/reference/core-api/interactive/): the same endpoints in an interactive explorer
- [Core API OpenAPI spec (JSON)](https://api.authpi.com/openapi.json): the complete machine-readable Core API specification
- [Me](https://authpi.com/docs/reference/core-api/me.md): Caller identity.
- [Accounts](https://authpi.com/docs/reference/core-api/accounts.md): Account management endpoints.
- [Account Domains](https://authpi.com/docs/reference/core-api/account-domains.md): Custom domain management for an account: add, verify, and remove domains used for white-labeled portals and issuers.
- [Issuers](https://authpi.com/docs/reference/core-api/issuers.md): Issuer management endpoints.
- [Clients](https://authpi.com/docs/reference/core-api/clients.md): OAuth 2.0 client management endpoints.
- [Agents](https://authpi.com/docs/reference/core-api/agents.md): Agent identity management endpoints.
- [Users](https://authpi.com/docs/reference/core-api/users.md): User management endpoints.
- [Organizations](https://authpi.com/docs/reference/core-api/organizations.md): Organization management endpoints.
- [Sessions](https://authpi.com/docs/reference/core-api/sessions.md): User session management endpoints.
- [Events](https://authpi.com/docs/reference/core-api/events.md): Audit event endpoints.
- [Webhooks](https://authpi.com/docs/reference/core-api/webhooks.md): Webhook management endpoints.
- [API Keys](https://authpi.com/docs/reference/core-api/api-keys.md): Organization API key management.
- [Personal Tokens](https://authpi.com/docs/reference/core-api/personal-tokens.md): User personal access token management.
- [Token Introspection](https://authpi.com/docs/reference/core-api/token-introspection.md): Validate API keys and personal tokens.
- [Notes](https://authpi.com/docs/reference/core-api/notes.md): Admin/team notes management.
- [Approvals](https://authpi.com/docs/reference/core-api/approvals.md): Signup approval queue management.

### IdP API reference

- [IdP API overview](https://authpi.com/docs/reference/idp-api/): the OIDC/OAuth 2.0 runtime endpoints
- [IdP API reference (interactive)](https://authpi.com/docs/reference/idp-api/interactive/): the same endpoints in an interactive explorer
- [IdP API OpenAPI spec (JSON)](https://idp.authpi.com/openapi.json): the complete machine-readable IdP API specification
- [Discovery](https://authpi.com/docs/reference/idp-api/discovery.md): Discovery endpoints for OpenID Connect and OAuth 2.0 configuration.
- [Authorization](https://authpi.com/docs/reference/idp-api/authorization.md): Authorization endpoints for initiating OAuth 2.0 and OpenID Connect flows.
- [Token](https://authpi.com/docs/reference/idp-api/token.md): Token endpoints for exchanging authorization codes for tokens and refreshing access tokens.
- [User Info](https://authpi.com/docs/reference/idp-api/user-info.md): OpenID Connect UserInfo endpoint for retrieving claims about the authenticated user.
- [Token Management](https://authpi.com/docs/reference/idp-api/token-management.md): Endpoints for token lifecycle management including introspection (RFC 7662) and revocation (RFC 7009).
- [Session Management](https://authpi.com/docs/reference/idp-api/session-management.md): Session management endpoints for monitoring and controlling user sessions.
- [API Keys](https://authpi.com/docs/reference/idp-api/api-keys.md): Endpoints: Get API Key Info
- [OpenID Connect](https://authpi.com/docs/reference/idp-api/openid-connect.md): Endpoints: Logout, Logout
- [Extensions](https://authpi.com/docs/reference/idp-api/extensions.md): Endpoints: get_VerifyEmail
- [Consent Management](https://authpi.com/docs/reference/idp-api/consent-management.md): Endpoints: Revoke Consent
- [SSO](https://authpi.com/docs/reference/idp-api/sso.md): Endpoints: Discover SSO for Email