Back to home

Integrate the SSO

Four steps to delegate your application's authentication to x-core.

  1. 1

    Register your callback

    Declare your application's redirect URI once with an HMAC-signed request. It is bound to your HMAC identity and never travels in the browser.

    POST /api/v1/sso/consumer/callback
  2. 2

    Redirect to the login screen

    Send the user to the authorize screen with your consumer id and a state you generate.

    GET /authorize?consumer=<id>&state=<state>
  3. 3

    Receive the authorization code

    Once the user signs in, x-core redirects back to your callback with a single-use code and your state.

    <callback>?code=<code>&state=<state>
  4. 4

    Exchange it for a session

    Exchange the code (HMAC-signed) for the user identity and tokens, then refresh or revoke them as needed.

    POST /api/v1/sso/consumer/token