Sigma Auth
Introduction

Add Bitcoin-powered authentication to your app - no passwords needed, just cryptographic signatures.

Try It First

See it in action: Visit sigmaidentity.com and click the live demo!

What You'll Build

Choose Your Framework

Sigma Auth works with any web framework. Select your framework for specific instructions:

Or follow the manual OAuth setup below to understand the core flow.

Core Requirements

Regardless of framework, you'll need:

  1. Client ID: Your app's identifier (e.g., "my-awesome-app")
  2. Redirect URI: Where users return after auth (e.g., https://myapp.com/callback)
  3. OAuth Endpoints: Sigma Auth provides standard OAuth 2.0 endpoints

Generating Secure Secrets

For frameworks that require session secrets (like NextAuth.js), generate one using:

openssl rand -base64 32

See framework-specific guides for detailed environment variable setup.

Manual OAuth Setup

This example shows the core OAuth flow that works with any framework:

function createLoginUrl() {
  const params = new URLSearchParams({
    client_id: 'your-app-name',
    redirect_uri: 'http://localhost:3000/callback',
    response_type: 'code',
    provider: 'sigma',
    state: Math.random().toString(36) // CSRF protection
  });
  
  return `https://auth.sigmaidentity.com/authorize?${params}`;
}

// In your login button:
window.location.href = createLoginUrl();

2. Handle Callback

Create a /callback route in your app:

// Express.js example
app.get('/callback', async (req, res) => {
  const { code, state } = req.query;
  
  // Verify state parameter matches what you sent
  if (!code) {
    return res.status(400).send('No authorization code received');
  }

  try {
    // Exchange code for access token
    const tokenResponse = await fetch('https://auth.sigmaidentity.com/token', {
      method: 'POST',
      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
      body: new URLSearchParams({
        grant_type: 'authorization_code',
        code,
        client_id: 'your-app-name',
        redirect_uri: 'http://localhost:3000/callback'
      })
    });

    const { access_token } = await tokenResponse.json();

    // Get user info
    const userResponse = await fetch('https://auth.sigmaidentity.com/userinfo', {
      headers: { Authorization: `Bearer ${access_token}` }
    });

    const user = await userResponse.json();
    
    // Store user in session/database
    req.session.user = user;
    
    // Redirect to dashboard
    res.redirect('/dashboard');
    
  } catch (error) {
    console.error('Auth error:', error);
    res.status(500).send('Authentication failed');
  }
});

3. Protect Routes

function requireAuth(req, res, next) {
  if (!req.session.user) {
    return res.redirect('/login');
  }
  next();
}

app.get('/dashboard', requireAuth, (req, res) => {
  res.send(`Welcome ${req.session.user.name}!`);
});

Testing Your Integration

  1. Start your app: npm run dev or your dev command
  2. Click your sign-in button
  3. You'll be redirected to Sigma Auth
  4. Generate a Bitcoin key (first time only)
  5. Your key automatically signs an auth token
  6. You'll be redirected back to your app, logged in!

Common Issues & Solutions

"Invalid redirect URI"

  • Make sure your redirect_uri matches exactly in both the login URL and token exchange
  • For local development, use http://localhost:3000/callback
  • For production, use your actual domain: https://yourapp.com/callback

"No authorization code received"

  • Check that your /callback route is correctly set up
  • Verify the redirect_uri parameter is correct
  • Look at browser dev tools Network tab for any errors

NextAuth session is undefined

  • Make sure you wrapped your app with <SessionProvider>
  • Check that your environment variables are set correctly
  • Verify the NextAuth configuration matches the example above

Users get stuck on "generating key"

  • This is usually a browser compatibility issue
  • Make sure the page is served over HTTPS in production
  • Some ad blockers can interfere with crypto operations

What's Next?

Congratulations! You now have Bitcoin-powered authentication.

Customize the Experience

Go Deeper

Get Help