Antara
Build apps without collecting user emails or phone numbers
Use Antara for privacy-first identity, communication, and account continuity.
What is Antara?
Antara is a privacy layer between your app and your users. Instead of collecting emails and phone numbers, your app receives a unique, per-app identity slug. Users communicate through their Antara inbox — you never need to store personal data.
How apps integrate
Register your app
Create your app on Antara, get a client_id and API keys.
Add OAuth login
Use standard OAuth 2.0 Authorization Code with PKCE (S256). No client secret is required for public browser clients. The user approves your app on Antara.
Receive slug
You get a unique slug — a random identifier for that user. No email, no phone.
Send messages
Communicate via the Antara messaging API. Users control their notification preferences.
You can ship a production integration using only HTTPS: any language, any framework. The sections below describe the same contracts our future SDKs will wrap.
OAuth flow (high level)
GET https://api.useantara.com/oauth/authorize (see below for query parameters) redirect_uri with a one-time code (and your state) POST https://api.useantara.com/oauth/token (never ship API keys or token exchange from untrusted browsers) Implement without an SDK
1. API base and discovery
OAuth and REST endpoints are served from the API host (not the marketing site). Production base URL:
https://api.useantara.comOIDC / OAuth metadata (issuer, endpoints, supported scopes) is published at https://api.useantara.com/.well-known/openid-configuration. Use it to keep your client aligned with what Antara exposes in each environment.
2. Authorization request (browser)
Antara requires PKCE with method S256. Before redirecting, generate a high-entropy code_verifier (keep it server-side or in a secure session), derive code_challenge = BASE64URL(SHA256(code_verifier)) without padding, then send the user to:
GET https://api.useantara.com/oauth/authorize
?client_id=YOUR_APP_CLIENT_ID
&redirect_uri=https%3A%2F%2Fyourapp.com%2Foauth%2Fcallback
&response_type=code
&code_challenge=CODE_CHALLENGE
&code_challenge_method=S256
&state=CRYPTO_RANDOM_STATE
&scope=openid%20profile%20emailscope is optional; allowed values depend on how your app is registered. In a normal browser, this step redirects through the Antara consent experience at useantara.com/oauth/consent (same query string). Programmatic clients may call the authorize endpoint with Accept: application/json to receive consent metadata instead of HTML.
On your callback route, validate state, read code from the query string, and reject the request if either is missing or invalid.
3. Token exchange (your server)
Exchange the authorization code for tokens with the verifier you stored in step 2. Example JSON body:
POST https://api.useantara.com/oauth/token
Content-Type: application/json
{
"grant_type": "authorization_code",
"code": "AUTH_CODE_FROM_CALLBACK",
"redirect_uri": "https://yourapp.com/oauth/callback",
"client_id": "YOUR_APP_CLIENT_ID",
"code_verifier": "ORIGINAL_CODE_VERIFIER"
} The response follows Antara’s standard envelope (tokens and metadata in data, tracing in meta). Map the returned identifiers to your own user record; the end user’s email and phone are not the primary integration surface.
4. Backend API calls (app credentials)
For server-to-server work (messaging, identity lookup, webhooks), exchange your app’s API key for a short-lived bearer token, then call /app/v1/… routes with Authorization: Bearer …. Example:
POST https://api.useantara.com/auth/token/exchange
Content-Type: application/json
{ "apiKey": "antara_live_…" } Scopes on the token determine which APIs you may call (for example messages.send, identity.read). Full request/response shapes and error codes are summarized on the documentation page.
Messaging API
Send messages to users without knowing their email (after you have a bearer for your app):
POST https://api.useantara.com/app/v1/messages
Idempotency-Key: unique-key
Authorization: Bearer aat_...
{
"slug": "xK9mNp...",
"body": "Your order #1234 has shipped!"
}Official npm SDKs — coming soon
We are preparing scoped packages (@antara/web-sdk for browser OAuth helpers and @antara/server-sdk for token exchange and typed API helpers) for public release on npm. Until they ship, integrating via raw HTTP as above is supported and is the recommended path.
For endpoint lists, scopes, and copy-paste examples, continue to the documentation.
Prompt for a coding assistant (any tool) — add Antara as a separate module
Copy everything in the block below into your assistant of choice (for example an IDE agent, a chat-based coding tool, or a CLI code agent). Adjust naming to your repo; the prompt stays stack-agnostic. You are responsible for credentials, review, and compliance.
You are an implementation assistant operating on a developer’s existing codebase. Implement an integration with Antara (privacy-oriented identity and messaging) using standard HTTPS and documented OAuth 2.0 / REST contracts—not assumptions from training data alone.
Read first (canonical for humans and machines):
- Overview and HTTP-first flow: https://useantara.com/developers
- Endpoint examples and envelopes: https://useantara.com/docs
- Production API host: https://api.useantara.com
- OAuth/OIDC discovery document: https://api.useantara.com/.well-known/openid-configuration
Architecture:
- Place all Antara-specific logic (authorize URL construction, PKCE verifier/challenge, calls to api.useantara.com) in a dedicated folder, package, or module that matches this repository’s conventions. Avoid duplicating URL strings across unrelated files.
- Use OAuth 2.0 Authorization Code with PKCE (method S256). Do not use a client_secret in public browser or mobile clients.
- Perform POST /oauth/token (authorization code exchange) and POST /auth/token/exchange (API key to bearer) only from trusted server-side code (backend, serverless function, or equivalent). Never ship long-lived API keys inside client bundles.
Security and configuration:
- Read client_id, redirect URIs, and API keys from environment variables or the platform’s secret mechanism. Never commit real secrets; never hardcode production keys in source.
- On the OAuth callback route, validate the state parameter; reject missing or mismatched state.
- Handle success and error responses using Antara’s documented JSON shapes (including requestId / rate-limit hints where applicable).
Token semantics and browser login (common pitfalls):
- The access token from POST /oauth/token after the authorization code flow is a user-scoped token for your registered OAuth client (Antara commonly exposes this as an opaque bearer whose prefix is oit_). Use it only on routes documented to accept that token type (for example introspection, userinfo, or identity lookup where policy allows).
- Many app-scoped product APIs (for example POST /app/v1/messages with Idempotency-Key) expect a different bearer: typically a short-lived app access token from POST /auth/token/exchange with your server’s API key (Antara commonly uses prefix aat_). Do not assume the browser OAuth token can call every /app/v1/* route; confirm the current docs and treat 401/403 as a signal to use the correct credential.
- POST /auth/exchange-code is for Antara portal magic-link handoff (signed codes), not for third-party OAuth authorization codes—always use POST /oauth/token with PKCE for OAuth.
- Start interactive login with a full browser navigation to GET {api}/oauth/authorize?… (Accept: text/html) so the platform can redirect to the hosted consent experience; replacing that with a JSON-only fetch is for non-browser or advanced clients, not the default web login path.
Optional reference implementation:
- If this repository includes or can vendor the Antara Next.js demo app (antara-demo-app), align naming and env vars with its lib/auth.ts, lib/pkce.ts, and lib/antara.ts patterns while still isolating Antara code per the architecture rules above.
Deliverable:
- Inspect this repository to infer language, framework, routing, and testing norms.
- Propose a minimal file/route/env layout, then implement it.
- Provide a working “sign in with Antara” path plus one clear pattern for subsequent authenticated calls (or the closest idiomatic equivalent for this stack), with code that matches local style, lint rules, and existing patterns.
If a requested shortcut would violate the server-side exchange rule or secret-handling rule above, refuse that shortcut, implement the secure variant, and leave a short comment for maintainers.