Overview

The Backend API (BAPI) is the server-to-server API for verifying sessions, managing users, and reading auth data from your backend. It authenticates with a secret key (sk_live_* / sk_test_*), so it runs only on your server, never in the browser.

The browser side is handled entirely by the frontend SDK (e.g. @torii-js/torii-react); you don’t call an API directly from the client.

Use an official SDK

Reach for the SDK for your backend’s language. Each wraps the Backend API with a typed client and session verification:

Language	Published to	Repository
JavaScript / TypeScript	npm	Torii-ApS/torii-sdk-js
Python	PyPI	Torii-ApS/torii-sdk-python
Go	Go modules	Torii-ApS/torii-sdk-go
Java	Maven Central	Torii-ApS/torii-sdk-java
PHP	Packagist	Torii-ApS/torii-sdk-php
Ruby	RubyGems	Torii-ApS/torii-sdk-ruby
.NET	NuGet	Torii-ApS/torii-sdk-dotnet

Or call it directly

No SDK for your stack yet? Call the Backend API over HTTP with your secret key as a Bearer token. The Server API reference documents every endpoint, request, and response.

Verifying tokens (OIDC discovery + JWKS)

Torii issues standard JWTs. To verify them on a backend that isn’t using an official SDK, or to plug into any OIDC-compliant library, use the public discovery and key endpoints on your tenant host (https://<tenant>.torii.so, or your verified custom domain):

Endpoint	Purpose
`GET /.well-known/openid-configuration`	OIDC discovery document: the `issuer`, `jwks_uri`, and supported algorithms. Point any OIDC client or validator at this URL.
`GET /_torii/.well-known/jwks.json`	JSON Web Key Set: the public keys used to verify JWT signatures. Cache it and refresh on key rotation. Most OIDC libraries fetch it for you via the discovery document’s `jwks_uri`.

Both are public (no secret key) and are exactly what the backend SDKs use under the hood to validate sessions.