Skip to content

Product Reference

Use this page as a quick reference for SigID product surfaces and capabilities. It is for architecture review, product evaluation, and finding the right guide. For first-task guidance, use For Individuals, For Business, or For Developers. For exact request and response schemas, use the deployment's OpenAPI document when it is enabled.

Feature availability depends on deployment configuration, tenant settings, organization policy, and plan limits.

On This Page

Capability Availability

Use this reference as a map, not as a promise that every deployment exposes every capability. Confirm availability in the target deployment before building against a specific feature.

Availability Capabilities
Core integration path Hosted login, OAuth/OIDC discovery, Authorization Code with PKCE, token validation, tenants, applications, TypeScript SDKs, backend API protection
Common business configuration Users, login methods, organizations, SSO routing, roles, audit review, webhooks, production configuration
Optional or deployment-dependent SCIM, CIBA, Dynamic Client Registration, DPoP enforcement, wallet signing, vault grants, billing/commerce, agent registration, MCP/tool authorization
Verify in deployment Exact endpoints, enabled grant types, supported sign-in methods, event types, SDK publication status, plan limits, and OpenAPI availability

Product Surfaces

Surface Used by Purpose
Hosted auth End users and applications Sign-in, recovery, MFA, SSO routing, consent, and OAuth redirects
Identity portal End users Profile, authenticators, sessions, app permissions, linked sign-in providers, delegations, and account security
Dashboard Tenant administrators and platform teams Applications, users, organizations, SSO, authorization policies, webhooks, billing, and audit review
APIs Developers and admin systems Integration, automation, provisioning, management, and protocol flows
CLI Agent builders and operators Local agent keys, registration, challenge-response authentication, signing, and key lifecycle
Webhooks Backend systems Signed asynchronous event delivery
Audit logs Administrators and operators Investigation, compliance review, and operational history
Docs Developers, admins, operators, and users Product guidance, implementation guidance, and reference material

End-User Sign-In Methods

These are user-facing sign-in or guest-access methods. Tenant feature flags, Dashboard configuration, organization policy, and deployment configuration determine which methods appear in a given environment.

Method Use Availability
Email and password Broad compatibility through hosted OAuth login Deployment and tenant dependent
Passkeys and WebAuthn Phishing-resistant hosted OAuth sign-in Deployment and tenant dependent
Social OAuth Federated consumer or developer login Deployment and provider dependent
Enterprise OIDC SSO Organization-managed sign-in and routing Per organization

Direct human sign-in APIs are not exposed. Browser and native applications start interactive human sign-in through hosted OAuth authorization requests.

Machine credentials, API keys, token exchange, and agent challenge-response are not end-user sign-in methods. They are listed under Machine, Agent, And API Credentials.

MFA, Recovery, And Session Controls

Capability Purpose
TOTP authenticator app Time-based codes for second-factor authentication
Backup codes One-time recovery codes for MFA loss
WebAuthn security keys Hardware security keys as a second factor
Trusted devices Remember a device for a bounded period when policy allows it
Known devices Review and remove remembered devices
Login history Review recent sign-in activity, location, method, and risk signals
Active sessions Review or revoke user sessions
Social recovery Guardian-based account recovery when configured
Adaptive MFA Step-up prompts based on risk signals and tenant policy

OAuth, OIDC, And Discovery Capabilities

Capability Spec or standard Endpoint or mechanism
Authorization Code with PKCE OAuth 2.0, PKCE GET /oauth/authorize, POST /oauth/token
Client Credentials OAuth 2.0 POST /oauth/token
Refresh Token OAuth 2.0 POST /oauth/token
Token Exchange RFC 8693 POST /oauth/token
Device Authorization RFC 8628 POST /oauth/device/code, POST /oauth/token, GET /oauth/device/verify
Pushed Authorization Requests RFC 9126 POST /oauth/par, then /oauth/authorize?request_uri=...
Rich Authorization Requests RFC 9396 authorization_details on authorization requests and token responses
CIBA Backchannel Authentication OpenID CIBA POST /bc-authorize, GET /api/v1/identity/ciba/requests, approve/deny request endpoints, then POST /oauth/token
ACR values OpenID Connect Core acr_values on authorization requests
OIDC claims parameter OpenID Connect Core claims on authorization requests
DPoP RFC 9449 DPoP proof headers and sender-constrained tokens
Revocation RFC 7009 POST /oauth/revoke
Introspection RFC 7662 POST /oauth/introspect
OIDC discovery OpenID Connect Discovery GET /.well-known/openid-configuration
JWKS JOSE / JWK GET /.well-known/jwks.json
UserInfo OpenID Connect Core GET /userinfo
RP-initiated logout OpenID Connect RP-Initiated Logout GET or POST /oauth/end-session
Dynamic Client Registration RFC 7591 / RFC 7592 POST /oauth/register, when enabled
OAuth protected resource metadata RFC 9728 GET /.well-known/oauth-protected-resource
OpenAPI JSON OpenAPI GET /openapi.json, when the OpenAPI router is enabled

Some deployments expose an interactive OpenAPI UI from the OpenAPI router. Use the deployment's documented docs URL instead of assuming a fixed path.

Machine, Agent, And API Credentials

Capability Use
Client credentials Service clients acting as themselves
API keys User-owned automation credentials where API key authentication is configured
Token exchange Mint reduced delegated tokens after policy checks
Agent challenge-response Agent authentication with signed challenges and registered keys, when agent identity is enabled
Agent anchors External or cryptographic identity anchors, when configured
Hosted agent DID documents Hosted did:web documents for deployments that enable hosted agent DID support

Tenant Administration Areas

Area Typical tasks Programmatic surface
Applications Configure OAuth clients, redirect URIs, origins, grant types, scopes, and secrets Dashboard and API
Tenant users Invite, pre-provision, update, suspend, reactivate, or remove tenant memberships Dashboard and API
Roles and scopes Define authorization bundles and API permissions Dashboard and API
Policies Apply conditional access and authorization rules Dashboard and API
Organizations Create workspaces, manage members and owners, switch active organization Dashboard and API
SSO Configure enterprise OIDC providers and verified-domain routing Dashboard and API
SCIM Provision and deprovision users from a directory provider SCIM API and Dashboard configuration where enabled
Agents Register agents, anchors, keys, and delegations Identity portal, API, and CLI where enabled
Vault Store third-party credentials and manage grants API and Dashboard where enabled
Wallets Provision wallets, control signing, budgets, freeze state, and transaction history Identity portal and API where enabled
Webhooks Subscribe to events, rotate secrets, test deliveries, inspect delivery status Dashboard and API
Billing Manage checkout, portal, credits, usage, plan limits, and invoices Dashboard and API
Audit logs Review security and administrative activity Dashboard and API
Control plane Manage platform settings and tenant-level configuration API and operator surfaces

Organizations, SSO, And SCIM

Capability Purpose
Organizations Model business accounts, customer workspaces, departments, or teams inside a tenant
Organization members Assign users to organizations with organization-specific roles
Active organization Carry selected organization context in sessions and authorization decisions
Verified domains Route users based on email domain and organization policy
Enterprise OIDC SSO Authenticate users through an organization's identity provider
SSO check Determine whether an email should be routed to an organization SSO provider
SCIM Users Create, update, suspend, and remove tenant users through /scim/v2/Users
SCIM metadata Publish /scim/v2/ServiceProviderConfig, /scim/v2/Schemas, and /scim/v2/ResourceTypes

Agent, Wallet, And Vault Capabilities

Capability Purpose
Agent identities First-class software principals with IDs, owners, anchors, capabilities, and status
Agent keys Registered cryptographic keys for challenge-response authentication and key rotation
Verification flags Key ownership, proof-of-work, DID, ERC-8004, reputation, and owner verification signals
Delegations Scoped authority for one subject to act for another subject after policy checks
Wallet models Deployment-supported wallet custody and execution models
Signing backends Deployment-supported signing backends
Wallet controls Per-transaction, daily, monthly, recipient, and contract controls where configured
Wallet operations Provision, sign, freeze, unfreeze, inspect budget, and list transactions
Vault credentials Store third-party credentials and tokens without exposing raw secrets to every caller
Vault grants Give selected subjects limited access to stored credentials

Events, Webhooks, And Audit Categories

For concrete event type strings and subscription guidance, see Webhook Events.

Category Examples
Authentication Login, logout, token issue, token revocation
MFA and risk MFA challenge, MFA verification, adaptive MFA
Tenant users Pre-provisioning, invitation, activation, suspension, reactivation, removal
Administration User, application, agent, delegation, key, role, policy, and configuration changes
Organizations Domains, members, owner-role protection, role changes, SSO, and SCIM
Vault Credential and grant lifecycle
Wallet Signing, rejection, budget exceedance, freeze, unfreeze, transaction history
Chain Ownership, reputation, and metadata changes
Commerce Checkout, payment, refund, settlement, credits, and usage
Security Brute force, refresh token reuse, suspicious activity, and high-risk changes

Deployment And Feature Availability

Feature availability is not identical across every deployment.

Dependency Examples
Deployment configuration OpenAPI router, phone delivery for MFA, email delivery, captcha, HIBP checks
Platform settings Dynamic Client Registration, tenant lifecycle controls, global protocol policy
Tenant configuration Login methods, application grant types, redirect URIs, SSO routing, branding, webhooks
Organization policy Enterprise SSO, domain verification, SCIM provisioning, organization role mapping
Infrastructure KMS/HSM/TSS signing, wallet support, email/SMS providers, databases, queues, cache backends
Billing or plan limits Agent limits, webhook quotas, wallet signing operations, SCIM operations, usage alerts

Verify feature availability in the target deployment before building an integration that depends on a specific capability.

Security Defaults

Preserve these defaults unless you have a reviewed reason to change them:

  • exact redirect URI matching
  • HTTPS in production
  • Authorization Code with PKCE for browser, mobile, desktop, and other public clients
  • MFA for tenant, organization, and platform administrators
  • narrow scopes and least-privilege role assignments
  • issuer, audience, signature, expiration, tenant, subject type, and scope validation
  • tenant-local subjects, with pairwise identifiers for eligible third-party human or agent tokens
  • client secrets, webhook secrets, SCIM tokens, API keys, and refresh tokens stored in a secret manager
  • signed webhooks with timestamp checks and delivery deduplication
  • DPoP sender constraints when required by the application or resource server
  • short-lived delegated agent access with revocation paths
  • audit review for high-impact changes
Need Read
Understand the product Docs Home
Sign in or manage an account For Individuals
Prepare a workspace Launch Your Workspace
Add login to an app Add SigID Login
Build OAuth integrations OAuth And OIDC
Validate API tokens Verify Tokens
Choose APIs and SDKs API And SDK Reference
Register and authenticate agents Agent And MCP Auth
Handle webhook events Webhook Events
Triage integration issues Troubleshooting
Look up terminology Glossary

Source

The public source repository is sig-id/sigid.