Quick Start | Sigma Auth

Add Bitcoin-powered authentication to your app - no passwords needed, just cryptographic signatures.

Try It First

See it in action: Visit sigmaidentity.com and click the live demo!

What You'll Build

Choose Your Framework

Sigma Auth works with any web framework. Select your framework for specific instructions:

Next.js

Full-stack React framework with NextAuth.js integration

React

Single-page applications with React hooks

Vanilla JavaScript

Plain JavaScript with no framework dependencies

Or follow the manual OAuth setup below to understand the core flow.

Core Requirements

Regardless of framework, you'll need:

Client ID: Your app's identifier (e.g., "my-awesome-app")
Redirect URI: Where users return after auth (e.g., https://myapp.com/callback)
OAuth Endpoints: Sigma Auth provides standard OAuth 2.0 endpoints

Generating Secure Secrets

For frameworks that require session secrets (like NextAuth.js), generate one using:

openssl rand -base64 32

See framework-specific guides for detailed environment variable setup.

Manual OAuth Setup

This example shows the core OAuth flow that works with any framework:

function createLoginUrl() {
  const params = new URLSearchParams({
    client_id: 'your-app-name',
    redirect_uri: 'http://localhost:3000/callback',
    response_type: 'code',
    provider: 'sigma',
    state: Math.random().toString(36) // CSRF protection
  });
  
  return `https://auth.sigmaidentity.com/authorize?${params}`;
}

// In your login button:
window.location.href = createLoginUrl();

2. Handle Callback

Create a /callback route in your app:

// Express.js example
app.get('/callback', async (req, res) => {
  const { code, state } = req.query;
  
  // Verify state parameter matches what you sent
  if (!code) {
    return res.status(400).send('No authorization code received');
  }

  try {
    // Exchange code for access token
    const tokenResponse = await fetch('https://auth.sigmaidentity.com/token', {
      method: 'POST',
      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
      body: new URLSearchParams({
        grant_type: 'authorization_code',
        code,
        client_id: 'your-app-name',
        redirect_uri: 'http://localhost:3000/callback'
      })
    });

    const { access_token } = await tokenResponse.json();

    // Get user info
    const userResponse = await fetch('https://auth.sigmaidentity.com/userinfo', {
      headers: { Authorization: `Bearer ${access_token}` }
    });

    const user = await userResponse.json();
    
    // Store user in session/database
    req.session.user = user;
    
    // Redirect to dashboard
    res.redirect('/dashboard');
    
  } catch (error) {
    console.error('Auth error:', error);
    res.status(500).send('Authentication failed');
  }
});

3. Protect Routes

function requireAuth(req, res, next) {
  if (!req.session.user) {
    return res.redirect('/login');
  }
  next();
}

app.get('/dashboard', requireAuth, (req, res) => {
  res.send(`Welcome ${req.session.user.name}!`);
});

Testing Your Integration

Start your app: npm run dev or your dev command
Click your sign-in button
You'll be redirected to Sigma Auth
Generate a Bitcoin key (first time only)
Your key automatically signs an auth token
You'll be redirected back to your app, logged in!

Common Issues & Solutions

"Invalid redirect URI"

Make sure your redirect_uri matches exactly in both the login URL and token exchange
For local development, use http://localhost:3000/callback
For production, use your actual domain: https://yourapp.com/callback