Terms of Service

1. Acceptance of Terms

By creating an account, accessing, or using any part of the Auth1 platform ("Service"), you agree to be bound by these Terms of Service ("Terms"). If you are using the Service on behalf of an organization, you represent that you have the authority to bind that organization to these Terms.

If you do not agree with any part of these Terms, you must not use the Service. Your continued use of the Service after any modifications to these Terms constitutes acceptance of those changes.

2. Description of Service

Auth1 is a multi-tenant authentication platform that provides the following capabilities:

• SMS OTP — One-time password verification via text message
• Email verification — Code-based and link-based email verification
• Magic links — Passwordless authentication via email
• Password authentication — Secure password-based login with Argon2id hashing
• OAuth social login — Google, GitHub, and other identity providers
• MFA/TOTP — Multi-factor authentication with time-based one-time passwords

We provide REST APIs, client SDKs (@auth1/js, @auth1/react), and hosted authentication infrastructure. The Service is available as a managed cloud offering and, for Enterprise customers, as a self-hosted deployment.

3. Account Registration

To use the Service, you must create an account. When registering, you agree to:

• Provide accurate, current, and complete information
• Maintain the confidentiality and security of your API key and account credentials
• Immediately notify us of any unauthorized access to your account
• Accept responsibility for all activity that occurs under your account

You must be at least 18 years of age to create an account. If you are between 13 and 18, you may only use the Service with the consent and supervision of a parent or legal guardian who agrees to be bound by these Terms.

Each individual may maintain one account. Creating multiple accounts to circumvent rate limits, plan restrictions, or enforcement actions is prohibited.

4. Acceptable Use

You agree to use the Service responsibly. Specifically, you agree not to:

• Use Auth1 to send unsolicited messages (spam) or communications to individuals who have not consented
• Attempt to bypass, disable, or circumvent rate limits, security controls, or access restrictions
• Use the Service for any illegal, fraudulent, or harmful purpose
• Attempt to reverse-engineer, decompile, disassemble, or otherwise derive the source code of the Service (except as permitted by applicable law)
• Share, publish, or expose your API keys in public repositories, client-side code, or any publicly accessible location
• Store or transmit illegal content, malware, or any material that violates the rights of others through our systems
• Use the Service to conduct phishing attacks, social engineering, credential stuffing, or any form of identity fraud
• Interfere with the performance, availability, or security of the Service for other users
• Resell or redistribute the Service without written authorization from Auth1

We reserve the right to investigate potential violations and take appropriate action, including suspension or termination of your account.

5. API Usage & Rate Limits

Your use of the Auth1 API is subject to the rate limits and usage quotas associated with your plan:

• Free: 10,000 monthly active users (MAU), 100 SMS/month
• Starter: 25,000 MAU, 1,000 SMS/month
• Pro: 100,000 MAU, 10,000 SMS/month
• Enterprise: Custom limits

If you exceed your plan's limits, we may temporarily throttle your API requests until the next billing cycle or until you upgrade your plan. We will make reasonable efforts to notify you before throttling takes effect.

Sustained abuse of the Service — including but not limited to automated scraping, brute-force attacks, or intentional overloading — may result in immediate suspension of your account.

6. SMS & Communication Consent

By using Auth1's SMS OTP, email verification, or any messaging features, you confirm and agree that:

• Your end users have provided explicit, informed consent to receive text messages and/or emails before you initiate any communication through Auth1
• You are solely responsible for obtaining, documenting, and maintaining TCPA-compliant and CAN-SPAM-compliant consent from your end users
• You will not use Auth1 to send messages to individuals who have not opted in or who have subsequently opted out
• You will honor all unsubscribe and opt-out requests promptly

Auth1 records consent metadata (including timestamp, IP address, and user agent) to assist with compliance. However, the legal obligation to obtain valid consent rests entirely with you as the data controller. Auth1 is not responsible for any fines, penalties, or legal actions arising from your failure to obtain proper consent.

7. Data Processing

In providing the Service, we process personal data including email addresses, phone numbers, IP addresses, device information, and authentication metadata. Our roles are defined as follows:

• You are the data controller — you determine the purposes and means of processing your end users' personal data
• Auth1 is the data processor — we process personal data solely on your behalf to provide the Service

We process data only as necessary to deliver the Service and in accordance with our Privacy Policy. Enterprise customers may request a Data Processing Agreement (DPA) by contacting legal@auth1.ai.

8. Intellectual Property

Auth1's platform, APIs, SDKs, documentation, branding, and all related intellectual property are owned by Auth1, Inc. and are protected by applicable intellectual property laws. These Terms do not grant you any rights to use our trademarks, logos, or branding without written permission.

The open-source auth-shield library is licensed under the MIT License. Your use of that library is governed by its license terms, not these Terms.

You retain full ownership of your application code, data, and any content you create using the Service. We claim no intellectual property rights over your work.

9. Payment Terms

The Free plan requires no payment and no credit card. For paid plans:

• Plans are billed either monthly or annually, as selected at signup
• Payment is due at the beginning of each billing cycle
• Overage charges (for usage exceeding your plan's included limits) are calculated and billed at the end of each billing cycle
• All fees are quoted and charged in United States dollars (USD)
• All fees are non-refundable, except as required by applicable law or as specified in our SLA
• Failure to pay may result in suspension or downgrade of your account

We may change our pricing at any time. We will provide at least 30 days' advance notice of any price increase via email. Price changes will take effect at the start of your next billing cycle after the notice period.

10. Service Level Agreement

Auth1 offers the following uptime commitments by plan:

• Free: No SLA. The Service is provided on a best-effort basis.
• Starter: Best-effort availability. No SLA credits.
• Pro: 99.9% monthly uptime. SLA credits available for documented downtime below this threshold.
• Enterprise: 99.99% monthly uptime. SLA credits available for documented downtime below this threshold.

"Uptime" is measured as the percentage of time the Auth1 API is available and responsive (HTTP 2xx or 4xx responses within 5 seconds), excluding scheduled maintenance windows communicated at least 48 hours in advance.

SLA credits are applied as account credits toward future billing cycles and are capped at 30% of the affected month's fees. To claim an SLA credit, you must submit a request to support@auth1.ai within 30 days of the incident.

11. Self-Hosted Deployments

Enterprise customers who elect to self-host the Auth1 platform on their own infrastructure acknowledge and agree that:

• You are solely responsible for provisioning, maintaining, and securing your hosting infrastructure
• You are responsible for all backups, disaster recovery, and data integrity measures
• You are responsible for ensuring compliance with applicable laws and regulations in your deployment environment
• Auth1 provides the software "as-is" for self-hosted deployments, with support limited to the terms of your Enterprise agreement
• Self-hosted SLA terms, if any, are defined in your Enterprise agreement and may differ from managed-cloud SLA terms

12. Data Security

We take data security seriously and implement industry-standard measures to protect your data, including:

• Password hashing: Argon2id via compiled Rust — passwords are never stored in plaintext
• Encryption at rest: AES-256-GCM encryption for sensitive data (Enterprise)
• Encryption in transit: TLS 1.3 for all API connections
• Timing-safe comparisons: All secret comparisons use constant-time algorithms to prevent timing attacks
• Circuit breakers: Automatic protection against cascading failures
• Structured audit logging: Immutable logs of authentication events and consent records
• Post-quantum cryptography: Optional ML-DSA-65 (Dilithium) signatures on audit records for tamper-proof evidence

While we implement rigorous security measures, no system is 100% secure. We cannot guarantee that unauthorized access, data breaches, or security incidents will never occur. In the event of a security incident affecting your data, we will notify you as required by applicable law.

13. Limitation of Liability

THE SERVICE IS PROVIDED "AS-IS" AND "AS-AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

• AUTH1 SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA, BUSINESS OPPORTUNITIES, OR GOODWILL
• AUTH1'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS SHALL NOT EXCEED THE TOTAL AMOUNT YOU PAID TO AUTH1 IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM
• FOR FREE PLAN USERS, AUTH1'S TOTAL LIABILITY SHALL NOT EXCEED FIFTY UNITED STATES DOLLARS ($50.00)

These limitations apply regardless of the theory of liability (contract, tort, strict liability, or otherwise) and even if Auth1 has been advised of the possibility of such damages.

14. Indemnification

You agree to defend, indemnify, and hold harmless Auth1, Inc., its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Your use of the Service or any activity under your account
• Your violation of these Terms or any applicable law or regulation
• Your end users' activities, including their use of authentication services you provide through Auth1
• Your failure to obtain proper consent from your end users for SMS, email, or data processing
• Any content, data, or materials you transmit through the Service

15. Termination

Either party may terminate this agreement at any time:

• You may terminate by deleting your account through the dashboard or by contacting support@auth1.ai
• Auth1 may terminate or suspend your account immediately if you violate these Terms, engage in abusive behavior, or fail to pay applicable fees

Upon termination:

• Your access to the Service will be revoked
• We will retain your data for 30 days, during which you may request a data export
• After the 30-day retention period, all your data will be permanently deleted, except for records we are legally required to retain (such as consent audit logs and billing records)
• Any outstanding fees remain due and payable

16. HIPAA Provisions

If you are a Covered Entity or Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and intend to use Auth1 to authenticate users who access systems containing Protected Health Information (PHI):

• You must execute a separate Business Associate Agreement (BAA) with Auth1 before transmitting any PHI through the Service
• Standard plans (Free, Starter, Pro) are not HIPAA-compliant without a BAA in place
• Enterprise customers may request a BAA by contacting legal@auth1.ai
• Auth1's HIPAA-eligible configuration includes additional security controls, audit logging, and access restrictions as specified in the BAA

17. Changes to Terms

We may update these Terms from time to time to reflect changes in our Service, legal requirements, or business practices. When we make material changes:

• We will provide at least 30 days' advance notice via email to the address associated with your account
• We will update the "Effective Date" at the top of this page
• We will post the updated Terms on our website

Your continued use of the Service after the updated Terms take effect constitutes your acceptance of the changes. If you do not agree with the updated Terms, you must stop using the Service and terminate your account.

18. Governing Law & Dispute Resolution

These Terms are governed by and construed in accordance with the laws of the State of Florida, United States, without regard to its conflict-of-law principles.

18.1 Mandatory Binding Arbitration

Any dispute, claim, or controversy arising out of or relating to these Terms, the Service, your use of the Service, or any related matter (collectively, "Disputes") shall be resolved exclusively through final and binding individual arbitration, rather than in court, except as set forth below. This includes claims that arose before these Terms became effective.

Arbitration shall be administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules and the Supplementary Procedures for Consumer-Related Disputes (if applicable). The arbitration shall take place in Miami-Dade County, Florida, or at the election of the claimant, via telephone, video conference, or based on written submissions.

The arbitrator shall have exclusive authority to resolve any Dispute, including any claim that all or part of this arbitration provision is void or voidable. The arbitrator's decision shall be final and binding, and judgment on the award may be entered in any court of competent jurisdiction in the State of Florida.

18.2 Class Action Waiver

YOU AND AUTH1 AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, CONSOLIDATED, OR REPRESENTATIVE PROCEEDING. The arbitrator may not consolidate more than one person's claims and may not preside over any form of class, consolidated, or representative proceeding. If this specific provision is found to be unenforceable, then the entirety of this arbitration section shall be null and void (but the remaining Terms shall continue in effect).

18.3 Waiver of Jury Trial

YOU AND AUTH1 HEREBY WAIVE ANY CONSTITUTIONAL AND STATUTORY RIGHTS TO SUE IN COURT AND HAVE A TRIAL IN FRONT OF A JUDGE OR A JURY. You and Auth1 are instead electing to have claims and disputes resolved by arbitration. There is no judge or jury in arbitration, and court review of an arbitration award is limited.

18.4 Waiver of Class or Consolidated Actions

ALL CLAIMS AND DISPUTES WITHIN THE SCOPE OF THIS ARBITRATION AGREEMENT MUST BE ARBITRATED ON AN INDIVIDUAL BASIS AND NOT ON A CLASS OR COLLECTIVE BASIS. ONLY INDIVIDUAL RELIEF IS AVAILABLE, AND CLAIMS OF MORE THAN ONE USER CANNOT BE ARBITRATED OR CONSOLIDATED WITH THOSE OF ANY OTHER USER.

18.5 Exceptions to Arbitration

Notwithstanding the foregoing, the following shall not be subject to the arbitration requirement:

• Either party may seek injunctive or equitable relief in any court of competent jurisdiction in Miami-Dade County, Florida to protect its intellectual property rights, confidential information, or to enforce the non-compete or non-solicitation provisions herein
• Claims that may be properly brought in small claims court in Miami-Dade County, Florida (if the claim qualifies)

18.6 Exclusive Venue

To the extent that litigation is permitted under these Terms (including the exceptions above), you and Auth1 agree that any judicial proceedings shall be brought exclusively in the state or federal courts located in Miami-Dade County, Florida. Both parties consent to the personal jurisdiction and venue of such courts and waive any objection based on inconvenient forum.

18.7 30-Day Opt-Out Right

You have the right to opt out of the arbitration and class action waiver provisions by sending written notice of your decision to opt out to legal@auth1.ai within 30 days of first accepting these Terms. Your notice must include your name, email address, and a clear statement that you wish to opt out of arbitration. If you opt out, you and Auth1 may litigate Disputes exclusively in the state or federal courts located in Miami-Dade County, Florida.

18.8 Limitation on Time to File Claims

ANY CAUSE OF ACTION OR CLAIM YOU MAY HAVE ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE MUST BE COMMENCED WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES. OTHERWISE, SUCH CAUSE OF ACTION OR CLAIM IS PERMANENTLY BARRED. This limitation applies regardless of whether the claim sounds in contract, tort, strict liability, or otherwise.

18.9 Severability

If any provision of these Terms is found to be unenforceable by a court or arbitrator, the remaining provisions will continue in full force and effect. If the class action waiver (Section 18.2) is found to be unenforceable as to a particular claim or request for relief, then the entire arbitration section shall be deemed void as to that claim only.

19. Contact

If you have questions about these Terms, please contact us:

Auth1, Inc.
Email: legal@auth1.ai
General inquiries: support@auth1.ai