AuthCog API

Login redirect flow

AuthCog hands identity back to your site through a single-use redirect — no passwords and no provider tokens ever reach your server.

1. Send the visitor to central auth, identifying your site by its domain:

GET https://auth.authcog.com/domain:my-app.com

The user signs in with any provider you enabled, then AuthCog redirects the browser back to your site with a short-lived callback hash:

GET https://my-app.com/authcog?callback=SECURE_HASH

2. Exchange the hash server-side for the released identity:

GET https://auth.authcog.com/domain:my-app.com?user=SECURE_HASH

{ "email": "user@example.com", "name": "Ada Lovelace",
  "avatar": "https://...", "provider": "google" }

The callback hash is single-use, expires 5 minutes after issue, and is bound to the exact domain it was issued for. The payload carries only profile basics — email, name, avatar and the provider used. Start your own session from it.

What you get back

The exchange returns JSON with the verified profile:

email     verified email - the primary identifier
name      display name from the provider
avatar    avatar URL (gravatar for email logins)
provider  how they signed in: google, github, email, ...

Local development

For local/dev hosts (localhost, *.lvh.me, raw IPs) pass the port:

GET https://auth.authcog.com/domain:my-app.lvh.me/port:8000

A port above 999 is released back over http; everything else uses https.