Product Reference¶
Use this page as a quick reference for SigID product surfaces and capabilities. It is for architecture review, product evaluation, and finding the right guide. For first-task guidance, use For Individuals, For Business, or For Developers. For exact request and response schemas, use the deployment's OpenAPI document when it is enabled.
Feature availability depends on deployment configuration, tenant settings, organization policy, and plan limits.
On This Page¶
- Capability Availability
- Product Surfaces
- End-User Sign-In Methods
- OAuth, OIDC, And Discovery Capabilities
- Machine, Agent, And API Credentials
- Tenant Administration Areas
- Deployment And Feature Availability
Capability Availability¶
Use this reference as a map, not as a promise that every deployment exposes every capability. Confirm availability in the target deployment before building against a specific feature.
| Availability | Capabilities |
|---|---|
| Core integration path | Hosted login, OAuth/OIDC discovery, Authorization Code with PKCE, token validation, tenants, applications, TypeScript SDKs, backend API protection |
| Common business configuration | Users, login methods, organizations, SSO routing, roles, audit review, webhooks, production configuration |
| Optional or deployment-dependent | SCIM, CIBA, Dynamic Client Registration, DPoP enforcement, wallet signing, vault grants, billing/commerce, agent registration, MCP/tool authorization |
| Verify in deployment | Exact endpoints, enabled grant types, supported sign-in methods, event types, SDK publication status, plan limits, and OpenAPI availability |
Product Surfaces¶
| Surface | Used by | Purpose |
|---|---|---|
| Hosted auth | End users and applications | Sign-in, recovery, MFA, SSO routing, consent, and OAuth redirects |
| Identity portal | End users | Profile, authenticators, sessions, app permissions, linked sign-in providers, delegations, and account security |
| Dashboard | Tenant administrators and platform teams | Applications, users, organizations, SSO, authorization policies, webhooks, billing, and audit review |
| APIs | Developers and admin systems | Integration, automation, provisioning, management, and protocol flows |
| CLI | Agent builders and operators | Local agent keys, registration, challenge-response authentication, signing, and key lifecycle |
| Webhooks | Backend systems | Signed asynchronous event delivery |
| Audit logs | Administrators and operators | Investigation, compliance review, and operational history |
| Docs | Developers, admins, operators, and users | Product guidance, implementation guidance, and reference material |
End-User Sign-In Methods¶
These are user-facing sign-in or guest-access methods. Tenant feature flags, Dashboard configuration, organization policy, and deployment configuration determine which methods appear in a given environment.
| Method | Use | Availability |
|---|---|---|
| Email and password | Broad compatibility through hosted OAuth login | Deployment and tenant dependent |
| Passkeys and WebAuthn | Phishing-resistant hosted OAuth sign-in | Deployment and tenant dependent |
| Social OAuth | Federated consumer or developer login | Deployment and provider dependent |
| Enterprise OIDC SSO | Organization-managed sign-in and routing | Per organization |
Direct human sign-in APIs are not exposed. Browser and native applications start interactive human sign-in through hosted OAuth authorization requests.
Machine credentials, API keys, token exchange, and agent challenge-response are not end-user sign-in methods. They are listed under Machine, Agent, And API Credentials.
MFA, Recovery, And Session Controls¶
| Capability | Purpose |
|---|---|
| TOTP authenticator app | Time-based codes for second-factor authentication |
| Backup codes | One-time recovery codes for MFA loss |
| WebAuthn security keys | Hardware security keys as a second factor |
| Trusted devices | Remember a device for a bounded period when policy allows it |
| Known devices | Review and remove remembered devices |
| Login history | Review recent sign-in activity, location, method, and risk signals |
| Active sessions | Review or revoke user sessions |
| Social recovery | Guardian-based account recovery when configured |
| Adaptive MFA | Step-up prompts based on risk signals and tenant policy |
OAuth, OIDC, And Discovery Capabilities¶
| Capability | Spec or standard | Endpoint or mechanism |
|---|---|---|
| Authorization Code with PKCE | OAuth 2.0, PKCE | GET /oauth/authorize, POST /oauth/token |
| Client Credentials | OAuth 2.0 | POST /oauth/token |
| Refresh Token | OAuth 2.0 | POST /oauth/token |
| Token Exchange | RFC 8693 | POST /oauth/token |
| Device Authorization | RFC 8628 | POST /oauth/device/code, POST /oauth/token, GET /oauth/device/verify |
| Pushed Authorization Requests | RFC 9126 | POST /oauth/par, then /oauth/authorize?request_uri=... |
| Rich Authorization Requests | RFC 9396 | authorization_details on authorization requests and token responses |
| CIBA Backchannel Authentication | OpenID CIBA | POST /bc-authorize, GET /api/v1/identity/ciba/requests, approve/deny request endpoints, then POST /oauth/token |
| ACR values | OpenID Connect Core | acr_values on authorization requests |
| OIDC claims parameter | OpenID Connect Core | claims on authorization requests |
| DPoP | RFC 9449 | DPoP proof headers and sender-constrained tokens |
| Revocation | RFC 7009 | POST /oauth/revoke |
| Introspection | RFC 7662 | POST /oauth/introspect |
| OIDC discovery | OpenID Connect Discovery | GET /.well-known/openid-configuration |
| JWKS | JOSE / JWK | GET /.well-known/jwks.json |
| UserInfo | OpenID Connect Core | GET /userinfo |
| RP-initiated logout | OpenID Connect RP-Initiated Logout | GET or POST /oauth/end-session |
| Dynamic Client Registration | RFC 7591 / RFC 7592 | POST /oauth/register, when enabled |
| OAuth protected resource metadata | RFC 9728 | GET /.well-known/oauth-protected-resource |
| OpenAPI JSON | OpenAPI | GET /openapi.json, when the OpenAPI router is enabled |
Some deployments expose an interactive OpenAPI UI from the OpenAPI router. Use the deployment's documented docs URL instead of assuming a fixed path.
Machine, Agent, And API Credentials¶
| Capability | Use |
|---|---|
| Client credentials | Service clients acting as themselves |
| API keys | User-owned automation credentials where API key authentication is configured |
| Token exchange | Mint reduced delegated tokens after policy checks |
| Agent challenge-response | Agent authentication with signed challenges and registered keys, when agent identity is enabled |
| Agent anchors | External or cryptographic identity anchors, when configured |
| Hosted agent DID documents | Hosted did:web documents for deployments that enable hosted agent DID support |
Tenant Administration Areas¶
| Area | Typical tasks | Programmatic surface |
|---|---|---|
| Applications | Configure OAuth clients, redirect URIs, origins, grant types, scopes, and secrets | Dashboard and API |
| Tenant users | Invite, pre-provision, update, suspend, reactivate, or remove tenant memberships | Dashboard and API |
| Roles and scopes | Define authorization bundles and API permissions | Dashboard and API |
| Policies | Apply conditional access and authorization rules | Dashboard and API |
| Organizations | Create workspaces, manage members and owners, switch active organization | Dashboard and API |
| SSO | Configure enterprise OIDC providers and verified-domain routing | Dashboard and API |
| SCIM | Provision and deprovision users from a directory provider | SCIM API and Dashboard configuration where enabled |
| Agents | Register agents, anchors, keys, and delegations | Identity portal, API, and CLI where enabled |
| Vault | Store third-party credentials and manage grants | API and Dashboard where enabled |
| Wallets | Provision wallets, control signing, budgets, freeze state, and transaction history | Identity portal and API where enabled |
| Webhooks | Subscribe to events, rotate secrets, test deliveries, inspect delivery status | Dashboard and API |
| Billing | Manage checkout, portal, credits, usage, plan limits, and invoices | Dashboard and API |
| Audit logs | Review security and administrative activity | Dashboard and API |
| Control plane | Manage platform settings and tenant-level configuration | API and operator surfaces |
Organizations, SSO, And SCIM¶
| Capability | Purpose |
|---|---|
| Organizations | Model business accounts, customer workspaces, departments, or teams inside a tenant |
| Organization members | Assign users to organizations with organization-specific roles |
| Active organization | Carry selected organization context in sessions and authorization decisions |
| Verified domains | Route users based on email domain and organization policy |
| Enterprise OIDC SSO | Authenticate users through an organization's identity provider |
| SSO check | Determine whether an email should be routed to an organization SSO provider |
| SCIM Users | Create, update, suspend, and remove tenant users through /scim/v2/Users |
| SCIM metadata | Publish /scim/v2/ServiceProviderConfig, /scim/v2/Schemas, and /scim/v2/ResourceTypes |
Agent, Wallet, And Vault Capabilities¶
| Capability | Purpose |
|---|---|
| Agent identities | First-class software principals with IDs, owners, anchors, capabilities, and status |
| Agent keys | Registered cryptographic keys for challenge-response authentication and key rotation |
| Verification flags | Key ownership, proof-of-work, DID, ERC-8004, reputation, and owner verification signals |
| Delegations | Scoped authority for one subject to act for another subject after policy checks |
| Wallet models | Deployment-supported wallet custody and execution models |
| Signing backends | Deployment-supported signing backends |
| Wallet controls | Per-transaction, daily, monthly, recipient, and contract controls where configured |
| Wallet operations | Provision, sign, freeze, unfreeze, inspect budget, and list transactions |
| Vault credentials | Store third-party credentials and tokens without exposing raw secrets to every caller |
| Vault grants | Give selected subjects limited access to stored credentials |
Events, Webhooks, And Audit Categories¶
For concrete event type strings and subscription guidance, see Webhook Events.
| Category | Examples |
|---|---|
| Authentication | Login, logout, token issue, token revocation |
| MFA and risk | MFA challenge, MFA verification, adaptive MFA |
| Tenant users | Pre-provisioning, invitation, activation, suspension, reactivation, removal |
| Administration | User, application, agent, delegation, key, role, policy, and configuration changes |
| Organizations | Domains, members, owner-role protection, role changes, SSO, and SCIM |
| Vault | Credential and grant lifecycle |
| Wallet | Signing, rejection, budget exceedance, freeze, unfreeze, transaction history |
| Chain | Ownership, reputation, and metadata changes |
| Commerce | Checkout, payment, refund, settlement, credits, and usage |
| Security | Brute force, refresh token reuse, suspicious activity, and high-risk changes |
Deployment And Feature Availability¶
Feature availability is not identical across every deployment.
| Dependency | Examples |
|---|---|
| Deployment configuration | OpenAPI router, phone delivery for MFA, email delivery, captcha, HIBP checks |
| Platform settings | Dynamic Client Registration, tenant lifecycle controls, global protocol policy |
| Tenant configuration | Login methods, application grant types, redirect URIs, SSO routing, branding, webhooks |
| Organization policy | Enterprise SSO, domain verification, SCIM provisioning, organization role mapping |
| Infrastructure | KMS/HSM/TSS signing, wallet support, email/SMS providers, databases, queues, cache backends |
| Billing or plan limits | Agent limits, webhook quotas, wallet signing operations, SCIM operations, usage alerts |
Verify feature availability in the target deployment before building an integration that depends on a specific capability.
Security Defaults¶
Preserve these defaults unless you have a reviewed reason to change them:
- exact redirect URI matching
- HTTPS in production
- Authorization Code with PKCE for browser, mobile, desktop, and other public clients
- MFA for tenant, organization, and platform administrators
- narrow scopes and least-privilege role assignments
- issuer, audience, signature, expiration, tenant, subject type, and scope validation
- tenant-local subjects, with pairwise identifiers for eligible third-party human or agent tokens
- client secrets, webhook secrets, SCIM tokens, API keys, and refresh tokens stored in a secret manager
- signed webhooks with timestamp checks and delivery deduplication
- DPoP sender constraints when required by the application or resource server
- short-lived delegated agent access with revocation paths
- audit review for high-impact changes
Related Pages¶
| Need | Read |
|---|---|
| Understand the product | Docs Home |
| Sign in or manage an account | For Individuals |
| Prepare a workspace | Launch Your Workspace |
| Add login to an app | Add SigID Login |
| Build OAuth integrations | OAuth And OIDC |
| Validate API tokens | Verify Tokens |
| Choose APIs and SDKs | API And SDK Reference |
| Register and authenticate agents | Agent And MCP Auth |
| Handle webhook events | Webhook Events |
| Triage integration issues | Troubleshooting |
| Look up terminology | Glossary |
Source¶
The public source repository is
sig-id/sigid.