Bulletproof identity for APIs.
Build completely decoupled architectures. Integrate Authepy's headless OTP infrastructure directly into your Express.js, Python, or Go APIs using a single Standard Secret Key.
Standard Secrets
| Decoupled Architecture
.env
# Keep this key strictly on your server
AUTHEPY_SECRET_KEY="ath_sec_live_..."
# Works with any HTTP client
01
The API Bridge
Your frontend client will communicate with your own Express backend. Your Express backend then acts as a secure proxy, attaching your Standard Secret Key to communicate with the Authepy Edge Router.
Security Primitives
- ✓ Zero CORS issues. Pure Server-to-Server.
- ✓ Issue your own session JWTs upon success.
server.js Express
const express = require('express');
const app = express();
app.use(express.json());
const AUTHEPY_API = 'https://api.authepy.com/api';
// 1. Request an OTP
app.post('/api/auth/send-code', async (req, res) => {
const { email } = req.body;
try {
const authepyRes = await fetch(`${AUTHEPY_API}/otp/request`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${process.env.AUTHEPY_SECRET_KEY}`
},
body: JSON.stringify({ email })
});
const data = await authepyRes.json();
if (!authepyRes.ok) return res.status(400).json({ error: data.error });
// Return the requestId to your frontend to use in the verification step
return res.status(200).json({ success: true, requestId: data.requestId });
} catch (error) {
return res.status(500).json({ error: "Internal server error." });
}
});
// 2. Verify the OTP
app.post('/api/auth/verify-code', async (req, res) => {
const { requestId, userGuess } = req.body;
try {
const authepyRes = await fetch(`${AUTHEPY_API}/otp/verify`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${process.env.AUTHEPY_SECRET_KEY}`
},
body: JSON.stringify({ requestId, userGuess })
});
const data = await authepyRes.json();
if (!authepyRes.ok) return res.status(400).json({ error: data.error });
// SUCCESS! Issue your native session token/cookie to the user here.
return res.status(200).json({ success: true, message: "User verified!" });
} catch (error) {
return res.status(500).json({ error: "Internal server error." });
}
});
app.listen(3000, () => console.log('Auth server running')); Initialize your Backend.
Stop managing unsecure database tokens. Generate your API keys and lock down your backend architecture in minutes.