OAuth Flow

LoginSign uses OAuth 2.0 for authentication. Understand the flow to implement server-side or custom integrations.

Endpoints

Use your LoginSign deployment base URL (e.g. https://loginsign.com or, if you use a separate auth domain, https://auth.loginsign.com).

EndpointURL
Authorizationhttps://loginsign.com/oauth/authorize
Tokenhttps://loginsign.com/oauth/token

Authorization Request

GET https://loginsign.com/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=email profile&
  state=random_state_string

Recommended ENV Setup

Don't hardcode OAuth values in your frontend. Keep them environment-based so local and production work without code changes.

# Frontend (.env.local)
LOGINSIGN_CLIENT_ID=YOUR_CLIENT_ID
LOGINSIGN_REDIRECT_URI=http://localhost:3000/auth

# Backend (.env)
LOGINSIGN_CLIENT_ID=YOUR_CLIENT_ID
LOGINSIGN_CLIENT_SECRET=YOUR_CLIENT_SECRET
LOGINSIGN_REDIRECT_URI=http://localhost:3000/auth

Token Exchange

POST https://loginsign.com/oauth/token
Content-Type: application/x-www-form-urlencoded

code=AUTHORIZATION_CODE&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
redirect_uri=https://yourapp.com/callback&
grant_type=authorization_code

Redirect URIs

The Redirect URI is the URL in your app to which LoginSign sends the user after they allow or deny access. You must register one or more Redirect URIs in the Developer Portal when creating or editing your application.

  • Match rule: Use the same URI in authorize + token exchange. LoginSign accepts normalized equivalents for convenience (for example www/non-www, default ports, trailing slash differences).
  • HTTPS in production: Use https:// for production. http://localhost is allowed for local development.
  • Callback path: Typically something like https://yourapp.com/oauth/callback or https://yourapp.com/auth/callback. Your app must handle this route: read the code and state query parameters, exchange the code for a token, and verify state.

Add all Redirect URIs that your app will use (e.g. production and staging). You can add or remove URIs later in the application settings.

Quick Validation

Validate your setup before go-live:

GET https://loginsign.com/api/oauth/healthcheck?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/auth

You can also run this check directly inside the Developer Portal under Settings → Redirect URIs → OAuth config check.

Flow Diagram

  1. User clicks "Sign in with LoginSign"
  2. Redirect to LoginSign authorization URL
  3. User signs in and authorizes your app
  4. Redirect back with ?code=... and state=...
  5. Exchange code for access token via POST to token endpoint
  6. Use access token to fetch user profile