ONYX
Docs

Sign In With Onyx

Add Onyx account login with scoped identity projection.

Sign In With Onyx lets an approved app authenticate a user through Onyx ID.

Login proves that the user can access an Onyx account. It does not grant every Onyx permission. Apps still need approved scopes and user consent for identity fields, trust assertions, communication access, or other connected capabilities.

What Login Provides

Sign In With Onyx can support:

  • account authentication
  • app-linked subject projection
  • profile access where approved
  • session continuity where approved
  • consent requests after login
  • connected-app visibility in Onyx ID

The app receives only the account projection allowed for that integration.

Redirect URIs

Partners must configure redirect URIs before production.

Redirect URIs should:

  • belong to the partner app
  • use secure HTTPS in production
  • match the approved app configuration
  • avoid wildcards unless Onyx approves them
  • keep preview and production environments separate

Invalid or unapproved redirect settings can block login.

PKCE

Connect SDK supports authorization flows with PKCE.

PKCE helps protect the authorization exchange when the app redirects the user through a browser or app handoff. The partner app remains responsible for storing session state safely after the login completes.

Login Only Mode

Some apps only need login.

Login-only integrations should not request messaging, trust assertions, payment eligibility, or other scopes unless the app actually needs them.

If the app later needs more access, request it through a separate consent flow.

After Login

After login, the app can:

  • complete its own session setup
  • request approved scopes
  • check consent state
  • check capabilities
  • show the user what is connected
  • handle revocation if access changes

The app should not assume that login means the user can receive messages, share trust assertions, or use partner connectivity.

Session Responsibilities

The partner app owns its own session.

Partners should:

  • protect tokens
  • rotate secrets when needed
  • handle expired sessions
  • separate preview and production credentials
  • avoid logging sensitive session material
  • respect user revocation and account state changes

If login succeeds but a later action is blocked, check the specific permission or capability state.