authepy.
Dev Hub / Traditional Backend

Bulletproof identity for APIs.

Build completely decoupled architectures. Integrate Authepy's headless OTP infrastructure directly into your Express.js, Python, or Go APIs using a single Standard Secret Key.

Standard Secrets
|
Decoupled Architecture
.env
# Keep this key strictly on your server
AUTHEPY_SECRET_KEY="ath_sec_live_..."

# Works with any HTTP client
01

The API Bridge

Your frontend client will communicate with your own Express backend. Your Express backend then acts as a secure proxy, attaching your Standard Secret Key to communicate with the Authepy Edge Router.

Security Primitives

  • Zero CORS issues. Pure Server-to-Server.
  • Issue your own session JWTs upon success.
server.js Express
const express = require('express');
const app = express();
app.use(express.json());

const AUTHEPY_API = 'https://api.authepy.com/api';

// 1. Request an OTP
app.post('/api/auth/send-code', async (req, res) => {
  const { email } = req.body;
  try {
    const authepyRes = await fetch(`${AUTHEPY_API}/otp/request`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${process.env.AUTHEPY_SECRET_KEY}`
      },
      body: JSON.stringify({ email })
    });
    const data = await authepyRes.json();
    if (!authepyRes.ok) return res.status(400).json({ error: data.error });
    
    // Return the requestId to your frontend to use in the verification step
    return res.status(200).json({ success: true, requestId: data.requestId });
  } catch (error) {
    return res.status(500).json({ error: "Internal server error." });
  }
});

// 2. Verify the OTP
app.post('/api/auth/verify-code', async (req, res) => {
  const { requestId, userGuess } = req.body;
  try {
    const authepyRes = await fetch(`${AUTHEPY_API}/otp/verify`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${process.env.AUTHEPY_SECRET_KEY}`
      },
      body: JSON.stringify({ requestId, userGuess })
    });
    const data = await authepyRes.json();
    if (!authepyRes.ok) return res.status(400).json({ error: data.error });
    
    // SUCCESS! Issue your native session token/cookie to the user here.
    return res.status(200).json({ success: true, message: "User verified!" });
  } catch (error) {
    return res.status(500).json({ error: "Internal server error." });
  }
});

app.listen(3000, () => console.log('Auth server running'));

Initialize your Backend.

Stop managing unsecure database tokens. Generate your API keys and lock down your backend architecture in minutes.