# self.surf

> self.surf is a free, hosted AT Protocol PDS (Personal Data Server) that lets allowlisted apps create and authenticate user accounts via passwordless email OTP — no passwords, no redirects, no invite codes.

Operated by ATTPS Labs Limited. Contact: hello@attpslabs.com

## What it does

self.surf runs ePDS, a passwordless authentication layer built on the official AT Protocol PDS. Developers register their app, receive an API key, and use a two-step backend flow to create accounts and log users in using email one-time passwords. The .self.surf domain is abstracted away so end-users see only their handle within the app.

## Who it's for

- Developers building apps on AT Protocol who want seamless, in-app account creation without redirecting users to an OAuth page or another site.
- Currently used by Linkname (linkna.me).

## Architecture

```
User -> your app -> your backend -> auth.self.surf (ePDS)

Internet -> Cloudflare Tunnel -> ePDS auth-service (OTP + login)
                              -> ePDS pds-core (AT Protocol)
```

- API key is stored backend-only (never client-side)
- User email is kept private on the server
- Public AT Protocol data is accessible via federation
- PDS hosted in the European Union

## API

All requests require an `x-api-key` header. Base URL: `https://auth.self.surf`

### Send OTP

```
POST /_internal/otp/send
Content-Type: application/json
x-api-key: YOUR_API_KEY

{
  "email": "alice@example.com",
  "purpose": "signup"  // or "login"
}
```

### Verify OTP

```
POST /_internal/otp/verify
Content-Type: application/json
x-api-key: YOUR_API_KEY

{
  "email": "alice@example.com",
  "otp": "12345678",
  "purpose": "signup",  // or "login"
  "handle": "alice"     // required for signup only
}

Response: { did, handle, accessJwt, refreshJwt, created: true }
```

### Health check

```
GET https://self.surf/xrpc/_health
Response: { "version": "0.4.x" }
```

## Environment variables for integrating apps

| Variable       | Where        | Value                    |
|----------------|--------------|--------------------------|
| EPDS_API_KEY   | Backend only | Your API key (secret)    |
| EPDS_AUTH_URL  | Backend      | https://auth.self.surf   |

## Getting an API key

Contact the self.surf operator at hello@attpslabs.com to register your app and receive an API key.

## Key facts

- Free to use
- Passwordless (email OTP only, no passwords)
- Full AT Protocol compatibility and federation
- Invite codes handled internally — apps never need the PDS admin password
- Accounts are portable — users can migrate to another PDS at any time
- 18+ only (per Terms of Service, but only for safe for work (SFW) services/apps)

## Links

- Website: https://self.surf
- Docs (includes FAQ): https://self.surf/docs
- Motivation: https://self.surf/motivation
- Apps: https://self.surf/apps
- Legal: https://self.surf/legal
- Frontend source: https://tangled.org/attpslabs.com/self.surf
- ePDS source: https://github.com/attpslabs/ePDS
- Status: https://selfsurf.hyperping.app/