AuthWorx Docs

Hosted B2B authentication for applications that serve multiple organizations. Drop in a few API calls — AuthWorx handles login, sessions, two-factor auth, member management, and real-time webhooks.

Base URL
All API requests go to https://authworx.uthings.io/api/v1.
Include the X-Org-Slug header on every request to scope it to your organization.

What AuthWorx gives you

🚀

Quickstart

Running with a working login in under 10 minutes.

TOTP-based 2FA as a seamless second step.

⚡

Tokens

Verify JWTs from your backend. Silent refresh built in.

🏢

Organizations

Invite members, manage roles, and control access.

🗝️

API Keys

Generate keys for server-to-server auth.

🪝

Webhooks

Real-time HTTP notifications with automatic retries.

How it works

AuthWorx uses a multi-tenant architecture. Each organization has its own members, roles, API keys, and webhook subscriptions. A single AuthWorx deployment can serve many independent organizations.

There are two ways to authenticate requests to AuthWorx:

User auth (cookie-based) — your frontend calls POST /auth/login and receives short-lived access tokens (15 min) and long-lived refresh tokens (7 days) stored in httpOnly cookies. These are automatically refreshed.
Server-to-server (API key) — your backend includes X-API-Key: pk_live_… to call /public/* endpoints. Use this to verify a user's token, fetch user data, or check org membership.

Request conventions

Header	Required	Description
X-Org-Slug	required	Your organization's slug. Scopes all requests to the correct org.
X-API-Key	public API only	API key for server-to-server requests to `/public/*` endpoints.
Authorization	optional	`Bearer <access_token>` — alternative to cookie auth for server calls.
Content-Type	required for POST/PUT	`application/json`

Response format

All responses use a consistent envelope:

Success

{
  "status": "success",
  "data": { ... }
}

Error

{
  "status": "error",
  "message": "Human-readable description of what went wrong"
}