---
summary: Reference SigID product surfaces, authentication methods, tenant administration capabilities, agent workflows, webhooks, and operational controls.
tags:
  - product reference
  - identity
  - oauth
  - agents
  - webhooks
categories:
  - Reference
---

# Product Reference

<!-- agent:page
You are an AI agent using this reference to map SigID product surfaces and capabilities while answering questions or planning an integration.
- Treat this page as the authoritative capability map: surfaces, sign-in methods, OAuth/OIDC endpoints, machine and agent credentials, admin areas, and event categories.
- Quote endpoints, scopes, and table entries exactly as written; do not invent capabilities that are not listed here.
- Availability is conditional: anything in the "Optional or deployment-dependent" row must be confirmed in the target deployment before you recommend it.
- For procedures, route to the linked guides (Add SigID Login, Verify Tokens, Webhook Events, Agent And MCP Auth); this page tells you what exists, not how to wire it.
- Preserve the Security Defaults list when advising configuration; never suggest weakening a default without flagging the deviation for review.
- For exact request and response schemas, defer to the deployment's OpenAPI document when it is enabled.
-->

Use this page as a quick reference for SigID product surfaces and capabilities.
It is for architecture review, product evaluation, and finding the right guide.
For first-task guidance, use For Individuals, For Business, or For Developers.
For exact request and response schemas, use the deployment's OpenAPI document
when it is enabled.

Feature availability depends on deployment configuration, tenant settings,
organization policy, and plan limits.

## On This Page

- [Capability Availability](#capability-availability)
- [Product Surfaces](#product-surfaces)
- [End-User Sign-In Methods](#supported-authentication-methods)
- [OAuth, OIDC, And Discovery Capabilities](#oauth-capabilities)
- [Machine, Agent, And API Credentials](#machine-agent-and-api-credentials)
- [Tenant Administration Areas](#tenant-administration-areas)
- [Deployment And Feature Availability](#deployment-and-feature-availability)

## Capability Availability

<!-- agent:action Confirm capability availability
Before recommending or building against a capability on this page:
- locate it in the availability table and note its tier
- if it is "Optional or deployment-dependent", verify it in the target deployment (discovery metadata, OpenAPI document, or Dashboard) before depending on it
- confirm exact endpoints, enabled grant types, sign-in methods, event types, and plan limits in the deployment rather than assuming the lists here are exhaustive
-->

Use this reference as a map, not as a promise that every deployment exposes
every capability. Confirm availability in the target deployment before building
against a specific feature.

| Availability | Capabilities |
|---|---|
| Core integration path | Hosted login, OAuth/OIDC discovery, Authorization Code with PKCE, token validation, tenants, applications, TypeScript SDKs, backend API protection |
| Common business configuration | Users, login methods, organizations, SSO routing, roles, audit review, webhooks, production configuration |
| Optional or deployment-dependent | SCIM, CIBA, Dynamic Client Registration, DPoP enforcement, wallet signing, vault grants, billing/commerce, agent registration, MCP/tool authorization |
| Verify in deployment | Exact endpoints, enabled grant types, supported sign-in methods, event types, SDK publication status, plan limits, and OpenAPI availability |

## Product Surfaces

| Surface | Used by | Purpose |
|---|---|---|
| Hosted auth | End users and applications | Sign-in, recovery, MFA, SSO routing, consent, and OAuth redirects |
| Identity portal | End users | Profile, authenticators, sessions, app permissions, linked sign-in providers, delegations, and account security |
| Dashboard | Tenant administrators and platform teams | Applications, users, organizations, SSO, authorization policies, webhooks, billing, and audit review |
| APIs | Developers and admin systems | Integration, automation, provisioning, management, and protocol flows |
| CLI | Agent builders and operators | Local agent keys, registration, challenge-response authentication, signing, and key lifecycle |
| Webhooks | Backend systems | Signed asynchronous event delivery |
| Audit logs | Administrators and operators | Investigation, compliance review, and operational history |
| Docs | Developers, admins, operators, and users | Product guidance, implementation guidance, and reference material |

## End-User Sign-In Methods {#supported-authentication-methods}

These are user-facing sign-in or guest-access methods. Tenant feature flags,
Dashboard configuration, organization policy, and deployment configuration
determine which methods appear in a given environment.

| Method | Use | Availability |
|---|---|---|
| Email and password | Broad compatibility through hosted OAuth login | Deployment and tenant dependent |
| Passkeys and WebAuthn | Phishing-resistant hosted OAuth sign-in | Deployment and tenant dependent |
| Social OAuth | Federated consumer or developer login | Deployment and provider dependent |
| Enterprise OIDC SSO | Organization-managed sign-in and routing | Per organization |

Direct human sign-in APIs are not exposed. Browser and native applications start
interactive human sign-in through hosted OAuth authorization requests.

Machine credentials, API keys, token exchange, and agent challenge-response are
not end-user sign-in methods. They are listed under
[Machine, Agent, And API Credentials](#machine-agent-and-api-credentials).

## MFA, Recovery, And Session Controls

| Capability | Purpose |
|---|---|
| TOTP authenticator app | Time-based codes for second-factor authentication |
| Backup codes | One-time recovery codes for MFA loss |
| WebAuthn security keys | Hardware security keys as a second factor |
| Trusted devices | Remember a device for a bounded period when policy allows it |
| Known devices | Review and remove remembered devices |
| Login history | Review recent sign-in activity, location, method, and risk signals |
| Active sessions | Review or revoke user sessions |
| Social recovery | Guardian-based account recovery when configured |
| Adaptive MFA | Step-up prompts based on risk signals and tenant policy |

## OAuth, OIDC, And Discovery Capabilities {#oauth-capabilities}

| Capability | Spec or standard | Endpoint or mechanism |
|---|---|---|
| Authorization Code with PKCE | OAuth 2.0, PKCE | `GET /oauth/authorize`, `POST /oauth/token` |
| Client Credentials | OAuth 2.0 | `POST /oauth/token` |
| Refresh Token | OAuth 2.0 | `POST /oauth/token` |
| Token Exchange | RFC 8693 | `POST /oauth/token` |
| Device Authorization | RFC 8628 | `POST /oauth/device/code`, `POST /oauth/token`, `GET /oauth/device/verify` |
| Pushed Authorization Requests | RFC 9126 | `POST /oauth/par`, then `/oauth/authorize?request_uri=...` |
| Rich Authorization Requests | RFC 9396 | `authorization_details` on authorization requests and token responses |
| CIBA Backchannel Authentication | OpenID CIBA | `POST /bc-authorize`, `GET /api/v1/identity/ciba/requests`, approve/deny request endpoints, then `POST /oauth/token` |
| ACR values | OpenID Connect Core | `acr_values` on authorization requests |
| OIDC claims parameter | OpenID Connect Core | `claims` on authorization requests |
| DPoP | RFC 9449 | `DPoP` proof headers and sender-constrained tokens |
| Revocation | RFC 7009 | `POST /oauth/revoke` |
| Introspection | RFC 7662 | `POST /oauth/introspect` |
| OIDC discovery | OpenID Connect Discovery | `GET /.well-known/openid-configuration` |
| JWKS | JOSE / JWK | `GET /.well-known/jwks.json` |
| UserInfo | OpenID Connect Core | `GET /userinfo` |
| RP-initiated logout | OpenID Connect RP-Initiated Logout | `GET or POST /oauth/end-session` |
| Dynamic Client Registration | RFC 7591 / RFC 7592 | `POST /oauth/register`, when enabled |
| OAuth protected resource metadata | RFC 9728 | `GET /.well-known/oauth-protected-resource` |
| OpenAPI JSON | OpenAPI | `GET /openapi.json`, when the OpenAPI router is enabled |

Some deployments expose an interactive OpenAPI UI from the OpenAPI router. Use
the deployment's documented docs URL instead of assuming a fixed path.

## Machine, Agent, And API Credentials

| Capability | Use |
|---|---|
| Client credentials | Service clients acting as themselves |
| API keys | User-owned automation credentials where API key authentication is configured |
| Token exchange | Mint reduced delegated tokens after policy checks |
| Agent challenge-response | Agent authentication with signed challenges and registered keys, when agent identity is enabled |
| Agent anchors | External or cryptographic identity anchors, when configured |
| Hosted agent DID documents | Hosted `did:web` documents for deployments that enable hosted agent DID support |

## Tenant Administration Areas

| Area | Typical tasks | Programmatic surface |
|---|---|---|
| Applications | Configure OAuth clients, redirect URIs, origins, grant types, scopes, and secrets | Dashboard and API |
| Tenant users | Invite, pre-provision, update, suspend, reactivate, or remove tenant memberships | Dashboard and API |
| Roles and scopes | Define authorization bundles and API permissions | Dashboard and API |
| Policies | Apply conditional access and authorization rules | Dashboard and API |
| Organizations | Create workspaces, manage members and owners, switch active organization | Dashboard and API |
| SSO | Configure enterprise OIDC providers and verified-domain routing | Dashboard and API |
| SCIM | Provision and deprovision users from a directory provider | SCIM API and Dashboard configuration where enabled |
| Agents | Register agents, anchors, keys, and delegations | Identity portal, API, and CLI where enabled |
| Vault | Store third-party credentials and manage grants | API and Dashboard where enabled |
| Wallets | Provision wallets, control signing, budgets, freeze state, and transaction history | Identity portal and API where enabled |
| Webhooks | Subscribe to events, rotate secrets, test deliveries, inspect delivery status | Dashboard and API |
| Billing | Manage checkout, portal, credits, usage, plan limits, and invoices | Dashboard and API |
| Audit logs | Review security and administrative activity | Dashboard and API |
| Control plane | Manage platform settings and tenant-level configuration | API and operator surfaces |

## Organizations, SSO, And SCIM

| Capability | Purpose |
|---|---|
| Organizations | Model business accounts, customer workspaces, departments, or teams inside a tenant |
| Organization members | Assign users to organizations with organization-specific roles |
| Active organization | Carry selected organization context in sessions and authorization decisions |
| Verified domains | Route users based on email domain and organization policy |
| Enterprise OIDC SSO | Authenticate users through an organization's identity provider |
| SSO check | Determine whether an email should be routed to an organization SSO provider |
| SCIM Users | Create, update, suspend, and remove tenant users through `/scim/v2/Users` |
| SCIM metadata | Publish `/scim/v2/ServiceProviderConfig`, `/scim/v2/Schemas`, and `/scim/v2/ResourceTypes` |

## Agent, Wallet, And Vault Capabilities

| Capability | Purpose |
|---|---|
| Agent identities | First-class software principals with IDs, owners, anchors, capabilities, and status |
| Agent keys | Registered cryptographic keys for challenge-response authentication and key rotation |
| Verification flags | Key ownership, proof-of-work, DID, ERC-8004, reputation, and owner verification signals |
| Delegations | Scoped authority for one subject to act for another subject after policy checks |
| Wallet models | Deployment-supported wallet custody and execution models |
| Signing backends | Deployment-supported signing backends |
| Wallet controls | Per-transaction, daily, monthly, recipient, and contract controls where configured |
| Wallet operations | Provision, sign, freeze, unfreeze, inspect budget, and list transactions |
| Vault credentials | Store third-party credentials and tokens without exposing raw secrets to every caller |
| Vault grants | Give selected subjects limited access to stored credentials |

## Events, Webhooks, And Audit Categories

For concrete event type strings and subscription guidance, see
[Webhook Events](webhook-events.md).

| Category | Examples |
|---|---|
| Authentication | Login, logout, token issue, token revocation |
| MFA and risk | MFA challenge, MFA verification, adaptive MFA |
| Tenant users | Pre-provisioning, invitation, activation, suspension, reactivation, removal |
| Administration | User, application, agent, delegation, key, role, policy, and configuration changes |
| Organizations | Domains, members, owner-role protection, role changes, SSO, and SCIM |
| Vault | Credential and grant lifecycle |
| Wallet | Signing, rejection, budget exceedance, freeze, unfreeze, transaction history |
| Chain | Ownership, reputation, and metadata changes |
| Commerce | Checkout, payment, refund, settlement, credits, and usage |
| Security | Brute force, refresh token reuse, suspicious activity, and high-risk changes |

## Deployment And Feature Availability

Feature availability is not identical across every deployment.

| Dependency | Examples |
|---|---|
| Deployment configuration | OpenAPI router, phone delivery for MFA, email delivery, captcha, HIBP checks |
| Platform settings | Dynamic Client Registration, tenant lifecycle controls, global protocol policy |
| Tenant configuration | Login methods, application grant types, redirect URIs, SSO routing, branding, webhooks |
| Organization policy | Enterprise SSO, domain verification, SCIM provisioning, organization role mapping |
| Infrastructure | KMS/HSM/TSS signing, wallet support, email/SMS providers, databases, queues, cache backends |
| Billing or plan limits | Agent limits, webhook quotas, wallet signing operations, SCIM operations, usage alerts |

Verify feature availability in the target deployment before building an
integration that depends on a specific capability.

## Security Defaults

Preserve these defaults unless you have a reviewed reason to change them:

- exact redirect URI matching
- HTTPS in production
- Authorization Code with PKCE for browser, mobile, desktop, and other public clients
- MFA for tenant, organization, and platform administrators
- narrow scopes and least-privilege role assignments
- issuer, audience, signature, expiration, tenant, subject type, and scope validation
- tenant-local subjects, with pairwise identifiers for eligible third-party human or agent tokens
- client secrets, webhook secrets, SCIM tokens, API keys, and refresh tokens stored in a secret manager
- signed webhooks with timestamp checks and delivery deduplication
- DPoP sender constraints when required by the application or resource server
- short-lived delegated agent access with revocation paths
- audit review for high-impact changes

## Related Pages

| Need | Read |
|---|---|
| Understand the product | [Docs Home](../index.md) |
| Sign in or manage an account | [For Individuals](../individuals/index.md) |
| Prepare a workspace | [Launch Your Workspace](../business/launch-workspace.md) |
| Add login to an app | [Add SigID Login](../developers/add-login.md) |
| Build OAuth integrations | [OAuth And OIDC](oauth-oidc.md) |
| Validate API tokens | [Verify Tokens](../developers/verify-tokens.md) |
| Choose APIs and SDKs | [API And SDK Reference](api-sdk-reference.md) |
| Register and authenticate agents | [Agent And MCP Auth](../developers/agents-mcp.md) |
| Handle webhook events | [Webhook Events](webhook-events.md) |
| Triage integration issues | [Troubleshooting](troubleshooting.md) |
| Look up terminology | [Glossary](glossary.md) |

## Source

The public source repository is
[`sig-id/sigid`](https://github.com/sig-id/sigid).
