- 1
Register your callback
Declare your application's redirect URI once with an HMAC-signed request. It is bound to your HMAC identity and never travels in the browser.
POST /api/v1/sso/consumer/callback - 2
Redirect to the login screen
Send the user to the authorize screen with your consumer id and a state you generate.
GET /authorize?consumer=<id>&state=<state> - 3
Receive the authorization code
Once the user signs in, x-core redirects back to your callback with a single-use code and your state.
<callback>?code=<code>&state=<state> - 4
Exchange it for a session
Exchange the code (HMAC-signed) for the user identity and tokens, then refresh or revoke them as needed.
POST /api/v1/sso/consumer/token