authepy.

Introduction to Authepy

Platform Overview

Introduction to Authepy

Authepy is a high-performance, stateless Email OTP infrastructure engineered for sub-3-second transactional token dispatch and validation loops. But what does that mean for your stack?

If you are evaluating heavy enterprise Identity and Access Management (IAM) suites, you know they act as absolute gatekeepers—forcing you to surrender your user data, adapt to their redirects, and accept their frontend UI limitations. Authepy takes the opposite approach. We provide a specialized, zero-trust verification pipeline that handles the most difficult parts of authentication—ephemeral state hashing and global deliverability—while allowing you to maintain total structural custody of your users and sessions.

Verification Fundamentals

You don’t have to be a cryptographic expert to integrate Authepy, but understanding our stateless architecture will help you build a bulletproof verification funnel.

Unlike legacy IAMs, Authepy is non-custodial. We do not store your user directories, passwords, or persistent metadata. When a user requests a login, our edge router generates a high-entropy numeric challenge, hashes it in volatile memory, and dispatches the code via our enterprise delivery network. Once verified, the token is permanently destroyed. The ultimate session creation (via JWT or secure cookies) remains entirely under your control.

Integrate with Authepy

To start integrating with Authepy, you can dive directly into our framework-specific Quickstart Integration guides for Next.js, React, Node, or WordPress. If you prefer building custom implementations, Authepy offers zero-dependency REST endpoints accessible via any HTTP client.

Your integration begins in the Authepy Console once you signup. After creating your Workspace, you will provision your API Keys. Authepy utilizes a strict two-key architecture:

  • Standard Secret Keys (Backend) Used securely inside your Node.js, Python, or PHP servers to communicate with our API.
  • Restricted Keys (Frontend) Safe to expose in React or browser applications. These keys are cryptographically bound to specific origin domains (e.g., https://yourdomain.com), rejecting unauthorized cross-origin requests instantly.

Dispatch and Verify

The vehicle of Authepy's human verification is a two-step cryptographic pipeline: Dispatch and Verify.

First, your application calls the /otp/request endpoint. Authepy creates the challenge, applies rate-limiting logic, and routes the token over our globally distributed, high-reputation delivery lanes to ensure it bypasses spam filters and reaches the user's inbox in milliseconds.

Second, when the user inputs the 6-digit code, your application calls /otp/verify. Authepy performs a secure memory comparison. If successful, you are granted authorization to issue your own proprietary session tokens to the authenticated user.

Take Absolute Control of Your Stack

Heavy IAM providers force your users to leave your website, redirecting them to a hosted "Universal Login" page. This creates visual friction and breaks the native brand experience.

Authepy champions a Bring Your Own UI philosophy. Stop wrapping your user flows around external frontend frames. With Authepy, you build your own native login forms in React, Tailwind, or SwiftUI. Our APIs work invisibly in the background, allowing you to maintain absolute structural custody of your application's visual state and user experience. Furthermore, Enterprise tiers allow for complete white-labeling of the outgoing email headers and branding.

Active Defense & Security

Malicious attacks, botnet registrations, and quota-draining scripts happen constantly. While legacy systems rely on heavy captchas, Authepy utilizes an invisible, edge-deployed Active Defense Web Application Firewall (WAF) to block threats before they reach processing logic.

Enabled by default, Authepy's security perimeter includes:

  • Sub-Address Mutation Shield Automatically strips and normalizes email aliases (e.g., Gmail '+' tags) to prevent malicious actors from bypassing velocity limiters using a single inbox.
  • Disposable Domain Rejection Intercepts and rejects traffic targeting ephemeral or burner email providers, protecting your sender reputation and stopping fake signups.
  • Suspicious IP & ASN Throttling Identifies known data-center IPs and applies an automated 24-hour network block to sources exhibiting aggressive brute-force request velocity.

Deploy and Monitor

When you are ready to deploy to production, Authepy’s global edge network guarantees sub-second latency regardless of your users' geographic location.

To keep your verification pipelines transparent, the Authepy Console provides Provider-Level Telemetry. You can monitor raw delivery logs, latency metrics, and success rates categorized by receiving networks (Google Workspace, Office 365, Yahoo).

For advanced integrations, Authepy supports real-time Webhooks. You can subscribe to cryptographic events, allowing your backend to react instantly when a token is successfully verified, or when an email dispatch experiences a hard bounce, enabling you to build highly responsive, self-healing architectures.