Sigma Auth provides a comprehensive OAuth 2.0/OIDC compliant API for Bitcoin-based authentication. All endpoints support standard OAuth flows while adding Bitcoin cryptographic verification.
Base URL
All API endpoints are available at:
https://auth.sigmaidentity.comAuthentication Methods
OAuth 2.0 Flow (Recommended)
Standard OAuth 2.0 authorization code flow with PKCE support.
Direct Bitcoin Authentication
Direct signature-based authentication using the /sigma/authorize endpoint.
Access Tokens
Authorization: Bearer <your_access_token>- Format: JWT (ES256 signed)
- Lifetime: 30 days
- Works across all client applications
No refresh tokens - when tokens expire, users re-authenticate through the OAuth flow.
Quick Reference
Core Endpoints
GET /authorize- Start OAuth flowPOST /token- Exchange code for tokenGET /userinfo- Get user informationPOST /sigma/authorize- Direct Bitcoin authentication
Profile Endpoints
GET /api/profile- Get user profilePOST /api/profile/create- Create user profilePUT /api/profile- Update user profile
Discovery Endpoints
GET /.well-known/openid-configuration- OpenID Connect discoveryGET /.well-known/jwks.json- JSON Web Key Set
Utility Endpoints
GET /health- Health checkGET /backup- Retrieve encrypted backupPOST /backup- Store encrypted backup
Authentication Providers
Sigma Provider
Uses Bitcoin cryptographic signatures for passwordless authentication.
Google Provider
Standard Google OAuth 2.0 integration.
GitHub Provider
Standard GitHub OAuth 2.0 integration.
OAuth 2.0 Endpoints
Authorization Endpoint
GET /authorize
Initiates the OAuth authorization flow. Redirects user to authentication UI.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | Your application identifier |
redirect_uri | string | Yes | URL to redirect after authorization |
response_type | string | Yes | Must be code for authorization code flow |
provider | string | No | Provider: sigma, google, github (defaults to sigma) |
state | string | No | CSRF protection parameter |
scope | string | No | Requested scopes (space-separated) |
Example:
https://auth.sigmaidentity.com/authorize?
client_id=your-app&
redirect_uri=https://yourapp.com/callback&
response_type=code&
provider=sigmaToken Endpoint
POST /token
Exchange authorization code for access token.
Content-Type: application/x-www-form-urlencoded
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
grant_type | string | Yes | Must be authorization_code |
code | string | Yes | Authorization code from redirect |
redirect_uri | string | Yes | Must match original redirect_uri |
client_id | string | Yes | Your application identifier |
Response:
{
"access_token": "eyJhbGciOiJFUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 2592000
}UserInfo Endpoint
GET /userinfo
Get authenticated user information.
Headers:
Authorization: Bearer <access_token>Response (with profile):
{
"pubkey": "02a94e09bcd6085e580f9214d2814e985f348b1b24121b2aff70a169f971ff5699",
"bapIdKey": "GpWrvdYWq3DUWMcw8vF8cFYoBK7",
"profile": {
"bapId": "GpWrvdYWq3DUWMcw8vF8cFYoBK7",
"address": "1ProfileAddressExample...",
"identity": {
"alternateName": "johndoe",
"image": "https://example.com/avatar.jpg",
"description": "Bitcoin developer"
},
"isPublished": false,
"createdAt": 1705123456789,
"updatedAt": 1705123456789
}
}Response (without profile):
{
"pubkey": "02a94e09bcd6085e580f9214d2814e985f348b1b24121b2aff70a169f971ff5699"
}Discovery Endpoints
OpenID Configuration
GET /.well-known/openid-configuration
Returns OAuth 2.0/OIDC server metadata.
JWKS Endpoint
GET /.well-known/jwks.json
Returns public keys for JWT signature verification.
Profile Management Endpoints
See Profile API Documentation for details on profile endpoints.
Backup Service Endpoints
See Backup API Documentation for details on backup endpoints.
Rate Limiting
- OAuth endpoints: 10 requests per minute per IP
- API endpoints: 100 requests per minute per user
- Failed authentication: Progressive delays after failed attempts