Sigma Auth
Reference

Sigma Auth provides a comprehensive OAuth 2.0/OIDC compliant API for Bitcoin-based authentication. All endpoints support standard OAuth flows while adding Bitcoin cryptographic verification.

Base URL

All API endpoints are available at:

https://auth.sigmaidentity.com

Authentication Methods

Standard OAuth 2.0 authorization code flow with PKCE support.

Direct Bitcoin Authentication

Direct signature-based authentication using the /sigma/authorize endpoint.

Access Tokens

Authorization: Bearer <your_access_token>
  • Format: JWT (ES256 signed)
  • Lifetime: 30 days
  • Works across all client applications

No refresh tokens - when tokens expire, users re-authenticate through the OAuth flow.

Quick Reference

Core Endpoints

  • GET /authorize - Start OAuth flow
  • POST /token - Exchange code for token
  • GET /userinfo - Get user information
  • POST /sigma/authorize - Direct Bitcoin authentication

Profile Endpoints

  • GET /api/profile - Get user profile
  • POST /api/profile/create - Create user profile
  • PUT /api/profile - Update user profile

Discovery Endpoints

  • GET /.well-known/openid-configuration - OpenID Connect discovery
  • GET /.well-known/jwks.json - JSON Web Key Set

Utility Endpoints

  • GET /health - Health check
  • GET /backup - Retrieve encrypted backup
  • POST /backup - Store encrypted backup

Authentication Providers

Sigma Provider

Uses Bitcoin cryptographic signatures for passwordless authentication.

Google Provider

Standard Google OAuth 2.0 integration.

GitHub Provider

Standard GitHub OAuth 2.0 integration.

OAuth 2.0 Endpoints

Authorization Endpoint

GET /authorize

Initiates the OAuth authorization flow. Redirects user to authentication UI.

Parameters:

ParameterTypeRequiredDescription
client_idstringYesYour application identifier
redirect_uristringYesURL to redirect after authorization
response_typestringYesMust be code for authorization code flow
providerstringNoProvider: sigma, google, github (defaults to sigma)
statestringNoCSRF protection parameter
scopestringNoRequested scopes (space-separated)

Example:

https://auth.sigmaidentity.com/authorize?
  client_id=your-app&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  provider=sigma

Token Endpoint

POST /token

Exchange authorization code for access token.

Content-Type: application/x-www-form-urlencoded

Parameters:

ParameterTypeRequiredDescription
grant_typestringYesMust be authorization_code
codestringYesAuthorization code from redirect
redirect_uristringYesMust match original redirect_uri
client_idstringYesYour application identifier

Response:

{
  "access_token": "eyJhbGciOiJFUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 2592000
}

UserInfo Endpoint

GET /userinfo

Get authenticated user information.

Headers:

Authorization: Bearer <access_token>

Response (with profile):

{
  "pubkey": "02a94e09bcd6085e580f9214d2814e985f348b1b24121b2aff70a169f971ff5699",
  "bapIdKey": "GpWrvdYWq3DUWMcw8vF8cFYoBK7",
  "profile": {
    "bapId": "GpWrvdYWq3DUWMcw8vF8cFYoBK7",
    "address": "1ProfileAddressExample...",
    "identity": {
      "alternateName": "johndoe",
      "image": "https://example.com/avatar.jpg",
      "description": "Bitcoin developer"
    },
    "isPublished": false,
    "createdAt": 1705123456789,
    "updatedAt": 1705123456789
  }
}

Response (without profile):

{
  "pubkey": "02a94e09bcd6085e580f9214d2814e985f348b1b24121b2aff70a169f971ff5699"
}

Discovery Endpoints

OpenID Configuration

GET /.well-known/openid-configuration

Returns OAuth 2.0/OIDC server metadata.

JWKS Endpoint

GET /.well-known/jwks.json

Returns public keys for JWT signature verification.

Profile Management Endpoints

See Profile API Documentation for details on profile endpoints.

Backup Service Endpoints

See Backup API Documentation for details on backup endpoints.

Rate Limiting

  • OAuth endpoints: 10 requests per minute per IP
  • API endpoints: 100 requests per minute per user
  • Failed authentication: Progressive delays after failed attempts