Getting Started

LoginSign provides privacy-first sign-in via OAuth 2.0. User emails are masked (e.g. x9s8d7@loginsign.com) and never exposed to your application unless the user allows it.

Prerequisites

  • A LoginSign developer account (create one at the landing page)
  • A registered application in the Developer Portal
  • Client ID and Client Secret from your app settings

Quick Start (2 minutes)

  1. Log in and open the Developer Portal
  2. Create a new app or select an existing project
  3. In Settings, add your callback URL(s) in Redirect URIs
  4. Start sign-in with https://loginsign.com/oauth/authorize?... (never with /login)
  5. Handle callback ?code=...&state=... and exchange on your backend via POST /oauth/token

Integration checklist

  1. Register every callback URL you use (staging + production) under Redirect URIs.
  2. Build the authorize URL with response_type=code, your client_id, redirect_uri, state, and scope (see OAuth Flow).
  3. On your callback route, validate state, then server-side POST /oauth/token with the same redirect_uri.
  4. Call GET /api/user with Authorization: Bearer … and map globalId in your app.
  5. Run GET …/api/oauth/healthcheck?client_id=…&redirect_uri=… after each URI change (also available in the portal).
  6. First-time connect: the signing-in user must have a valid email on their LoginSign account; otherwise consent returns an error (see README troubleshooting).

Non-Negotiable Rules

  • Start URL: Always start with /oauth/authorize.
  • Redirect URI: Use the same value in authorize and token exchange.
  • Server-side exchange: Keep client secret on backend only.
  • Error handling: Log the raw token response (status + JSON), not only “Sign-in failed”.

What You'll Get

After a successful sign-in, your application receives:

  • User ID — A unique, stable identifier
  • Display name — User-provided or from social provider
  • Masked email — Forwarding address (e.g. x9s8d7@loginsign.com)

Continue to Installation and OAuth Flow for copy/paste examples.

Self-hosting locally: opening / on loopback may auto-redirect to the demo session — append ?noddemo=1 when you need a clean OAuth test from the landing page. Prefer linking users straight to /oauth/authorize from your app.

See also: Account closure and webhooks for syncing user deletion.