For Developers¶
Use this section if you are adding SigID to an application, backend API, webhook receiver, or agent/MCP integration.
What SigID Is¶
SigID is the identity and account-security service your app uses instead of building login, sessions, consent, recovery, SSO, and token issuing yourself.
Your app sends users to SigID for sign-in. SigID checks the user, then sends the user back to your app with a result your code can handle. Your backend then trusts only validated SigID tokens, not frontend guesses about who the user is.
How Your App Uses SigID¶
- 1Get app settingsAsk the workspace owner for issuer URL, client ID, redirect URL, scopes, audience, and tenant or workspace ID.
- 2Add hosted loginUse the SDK to send users to SigID and handle the callback when SigID sends them back.
- 3Create an app sessionStore only the session data your app needs and support logout.
- 4Validate access tokens on the backendCheck issuer, audience, tenant, expiry, scopes, signature, and subject type before serving protected data.
- 5Protect each API boundaryDo not rely on hidden buttons or frontend state. Enforce access in backend code.
- 6Add webhooks or agent auth only when neededUse signed webhooks for async events and scoped principals for agents or MCP servers.
Choose The Right Page¶
| What you want to build | Read this |
|---|---|
| Add sign-in to your app | Add Login To Your App |
| Check that SigID tokens are valid | Verify Access Tokens |
| Protect backend routes and resources | Protect Backend APIs |
| Pick the right package or example | SDKs And Examples |
| Receive events from SigID | Receive Webhooks |
| Protect agents, tools, or MCP servers | Agent And MCP Auth |
Start With A Quickstart¶
| What you have | Start here | You finish with |
|---|---|---|
| Next.js App Router app | Next.js Quickstart | Hosted login, callback, protected page, and protected API route |
| React browser app | React SPA Quickstart | Hosted login, callback, session UI, logout, and backend token handoff |
| Existing backend API | Backend API Quickstart | Bearer-token validation with tenant, audience, scope, and subject checks |
| You want to see it running first | Run The Example App | Local SDK Lab app and quality gate |
If you are not sure which one to choose, use Next.js Quickstart.
Use Reference when you need exact OAuth parameters, claims, scopes, API shapes, event names, error formats, or security model details.