---
title: "Autheona Concepts"
description: "Understand Autheona core concepts including accounts, projects, production vs sandbox environments, API quota management, access tokens, and validation rules for effective intelligent verification implementation."
keywords: "autheona concepts, account structure, project management, sandbox vs production, api quota, access tokens, validation rules, email validation concepts, autheona architecture"

robots: index, follow
permalink: /docs/getting-started/concepts/

order: 2
category: Getting Started

layout: docs.html
---

# Autheona Concepts

Understanding how Autheona works will help you structure your integration correctly.

## Accounts and Projects

An **account** is your Autheona workspace. It contains:

- API call quota (shared across all projects)
- Billing settings
- Usage analytics

A **project** represents a single application or product. Each project has:

- Unique access token
- Custom validation rules
- Individual analytics

## Account Structure Options

Choose based on your setup:

**Option 1: One account per project**

- Best for large applications with significant user base
- Dedicated quota per application
- Clear separation of billing and analytics

**Option 2: One account for multiple projects**

- Best for solo founders building multiple products
- Share API quota across all projects
- Single billing relationship

## Production vs Sandbox Projects

**Production Projects**

- Count toward your API call quota
- Used for live traffic
- Real validation and analytics

**Sandbox Projects**

- Do not count toward quota
- Used for testing and development
- No limits on number of sandbox projects

## API Call Quota

Your quota is account-level, not project-level. If you have 10,000 calls per month:

- You can use all 10,000 on one project
- Or split them across multiple projects
- Overages are billed at your plan rate
- No service interruption when exceeding quota

## Access Tokens

Each project has a unique access token:

- Keep tokens secure (server-side only)
- Rotate tokens if compromised
- Never expose tokens in frontend code

## Validation Rules

Rules are configured per project:

- Block disposable domains
- Require specific domain types
- Set custom risk thresholds
- Enable or disable specific checks

This lets you have strict rules for one project and relaxed rules for another.