API Reference

Complete API documentation for LoginSign. Use your deployment base URL (e.g. https://loginsign.com). Endpoints below require a valid Bearer token unless otherwise noted.

Authentication

Include the access token in the Authorization header:

Authorization: Bearer YOUR_ACCESS_TOKEN

User Identity

Every LoginSign user has a Global User ID — a short identifier in the formatXX1234 (2 letters + 4 digits). This ID is stable, unique, and supports millions of users. Use it to reference users in your app instead of internal IDs.

Endpoints

GET/api/user

Get current user

Returns the authenticated user's profile.

// Response
{
  "id": "connection_id",
  "globalId": "AB1234",
  "name": "John Doe",
  "email": "x9s8d7@loginsign.com",
  "image": "https://..."
}

GET/api/developer/applications/:appId/users

List users (for developers)

Returns all users who have connected to your application. Requires developer session (cookie from Developer Portal).

// Response
{
  "users": [
    {
      "id": "connection_id",
      "globalId": "AB1234",
      "name": "John Doe",
      "email": "x9s8d7@loginsign.com",
      "active": true,
      "blocked": false,
      "emailMuted": false,
      "sessions": 23,
      "lastSession": "2023-07-19T14:30:00Z",
      "joined": "2023-07-19T10:00:00Z",
      "region": "Germany"
    }
  ],
  "total": 312
}

globalId — User identifier (2 letters + 4 digits). Use this to reference the user in your app.
email — The address the user shared with your app for this connection, or a dash if not shared.

PATCH/api/developer/applications/:appId/users/:connectionId

Update user connection

Body: optional isForwarding (boolean) and/or appEmail (string: an address linked to the user's LoginSign account, or empty string to stop sharing). At least one field is required.

DELETE/api/developer/applications/:appId/users/:connectionId

Delete user connection (account closure)

Permanently removes the connection. Webhook user_account_deleted is sent. See Account closure.

POST/oauth/token

Exchange authorization code for access token

Content-Type: application/x-www-form-urlencoded

// Request body (form-urlencoded)
code=AUTHORIZATION_CODE&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
redirect_uri=https://yourapp.com/callback&
grant_type=authorization_code

// Response
{
  "access_token": "...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Error Responses

All errors return JSON with a message:

{
  "error": "invalid_grant",
  "error_description": "The authorization code has expired"
}