Skip to content

Add Login To Your App

Use this page when you need a button or route in your app that signs users in with SigID.

Do this with the SDK first. You can read raw OAuth/OIDC details later if you need full protocol control.

If you want a copyable framework path, start with one of these first:

What You Are Building

Your app needs four pieces:

  1. A sign-in action that sends the user to SigID.
  2. A callback route where SigID sends the user back.
  3. A local app session after the callback succeeds.
  4. A logout action that clears the app session and signs out when needed.

Values You Need

Ask the workspace owner for values from the same environment:

Value Example
Issuer URL https://identity.example.com
Client ID public-client-id
Redirect URI https://app.example.com/auth/callback
Scopes openid profile email
API audience https://api.example.com
Tenant or workspace ID tenant_123

Do not mix staging issuer values with production redirect URLs.

Browser SDK Path

Install the framework-agnostic client:

npm install @sigid/client

Create a client:

import { createSigIdClient } from "@sigid/client";

export const sigid = createSigIdClient({
  baseURL: "https://identity.example.com",
  oauth: {
    clientId: "public-client-id",
    redirectUri: `${window.location.origin}/auth/callback`,
    scopes: ["openid", "profile", "email"],
  },
});

Start hosted login from a button or route action:

await sigid.login({ returnTo: "/dashboard" });

On the callback page or callback route:

const session = await sigid.handleCallback();

On logout:

await sigid.logout();

The SDK keeps PKCE, state validation, callback parsing, hosted logout, and local session cleanup together.

Make It Complete

Before this is ready for users, confirm:

  • the Dashboard application has exact callback, logout, web-origin, and CORS values for the same environment
  • the app has a callback route that completes the SDK callback
  • the app has a signed-in state and signed-out state
  • the callback route shows a readable error and retry path
  • logout returns the user to a safe signed-out screen
  • backend APIs validate access tokens instead of trusting frontend session state

After Login Works

Continue in this order:

  1. Verify Access Tokens
  2. Protect Backend APIs
  3. Receive Webhooks, if the app needs async events
  4. Reference: OAuth And OIDC, if you need raw OAuth/OIDC parameters