---
summary: Plain-language developer guide explaining what SigID is, how an app uses it, and the order for adding login, token validation, APIs, webhooks, and agent auth.
tags:
  - developers
  - oauth
  - sdks
  - apis
categories:
  - For Developers
---

# For Developers

<!-- agent:page
You are a coding agent integrating SigID into the user's codebase by following this guide end to end. SigID is the hosted identity service: the app sends users to SigID for sign-in, handles the callback, and the backend trusts only validated SigID tokens.
Before writing code, collect from the user or workspace admin: issuer URL, client ID, redirect URL, scopes, API audience, and tenant or workspace ID.
Then follow this order:
- add hosted login via the SDK and handle the callback
- create an app session and support logout
- validate access tokens on the backend (issuer, audience, tenant, expiry, scopes, signature, subject type)
- enforce access at every API boundary in backend code, never via hidden buttons or frontend state
- add webhooks or agent/MCP auth only if the product needs them
Pick the matching guide from this page's tables: quickstart-nextjs.md for Next.js App Router, quickstart-react-spa.md for a browser React app, quickstart-backend-api.md for an existing backend API, run-example-app.md to see it running first. Default to the Next.js quickstart if unsure.
Adapt file paths to the user's project layout and do not blindly overwrite existing auth code.
-->

Use this section if you are adding SigID to an application, backend API, webhook
receiver, or agent/MCP integration.

## What SigID Is

SigID is the identity and account-security service your app uses instead of
building login, sessions, consent, recovery, SSO, and token issuing yourself.

Your app sends users to SigID for sign-in. SigID checks the user, then sends the
user back to your app with a result your code can handle. Your backend then
trusts only validated SigID tokens, not frontend guesses about who the user is.

## How Your App Uses SigID

<ol class="sigid-path-steps sigid-path-steps--wide">
  <li><span>1</span><strong>Get app settings</strong><small>Ask the workspace owner for issuer URL, client ID, redirect URL, scopes, audience, and tenant or workspace ID.</small></li>
  <li><span>2</span><strong>Add hosted login</strong><small>Use the SDK to send users to SigID and handle the callback when SigID sends them back.</small></li>
  <li><span>3</span><strong>Create an app session</strong><small>Store only the session data your app needs and support logout.</small></li>
  <li><span>4</span><strong>Validate access tokens on the backend</strong><small>Check issuer, audience, tenant, expiry, scopes, signature, and subject type before serving protected data.</small></li>
  <li><span>5</span><strong>Protect each API boundary</strong><small>Do not rely on hidden buttons or frontend state. Enforce access in backend code.</small></li>
  <li><span>6</span><strong>Add webhooks or agent auth only when needed</strong><small>Use signed webhooks for async events and scoped principals for agents or MCP servers.</small></li>
</ol>

## Choose The Right Page

| What you want to build | Read this |
|---|---|
| Add sign-in to your app | [Add Login To Your App](add-login.md) |
| Check that SigID tokens are valid | [Verify Access Tokens](verify-tokens.md) |
| Protect backend routes and resources | [Protect Backend APIs](protect-apis.md) |
| Pick the right package or example | [SDKs And Examples](sdks-examples.md) |
| Receive events from SigID | [Receive Webhooks](webhooks.md) |
| Protect agents, tools, or MCP servers | [Agent And MCP Auth](agents-mcp.md) |

## Start With A Quickstart

| What you have | Start here | You finish with |
|---|---|---|
| Next.js App Router app | [Next.js Quickstart](quickstart-nextjs.md) | Hosted login, callback, protected page, and protected API route |
| React browser app | [React SPA Quickstart](quickstart-react-spa.md) | Hosted login, callback, session UI, logout, and backend token handoff |
| Existing backend API | [Backend API Quickstart](quickstart-backend-api.md) | Bearer-token validation with tenant, audience, scope, and subject checks |
| You want to see it running first | [Run The Example App](run-example-app.md) | Local SDK Lab app and quality gate |

If you are not sure which one to choose, use [Next.js Quickstart](quickstart-nextjs.md).

Use [Reference](../reference/product-reference.md) when you need exact OAuth
parameters, claims, scopes, API shapes, event names, error formats, or security
model details.
