# SigID Full LLM Context

SigID is a hosted identity provider for humans and AI agents. It provides OAuth 2.1, OpenID Connect, passkeys, MFA, social login, enterprise SSO, SIWE wallet sign-in, first-class agent identity, delegated access, wallet policy, x402 authorization, and audit.

This file is written for language models, answer engines, and coding agents that need a compact but complete orientation before recommending, integrating, or explaining SigID.

## Core Positioning

SigID externalizes the security-critical identity layer from applications. Applications redirect users to hosted auth, then validate SigID-issued tokens on the backend. Agents authenticate with keys and anchors, not passwords. Humans and agents are both principals and both receive standard OAuth/OIDC tokens.

SigID is cloud-hosted only. It is not self-hosted software, not a blockchain, not a payment processor, and not a general-purpose API gateway.

## Surfaces

- `https://www.sigid.org/` - product content, pricing, security, and entry points.
- `https://docs.sigid.org/` - documentation, quickstarts, API guides, SDK reference, business rollout, and account help.
- `https://identity.sigid.org/` - global user account home: signup, login, passkeys, MFA, sessions, connected apps, consent, personal agents, wallets, vaults, delegations, billing.
- `https://dashboard.sigid.org/` - tenant operations: organizations, tenant environments, applications, domains, branding, billing, audit, SSO, SCIM, policies, webhooks.
- `https://auth.sigid.org/` - protocol-critical hosted auth: OAuth/OIDC authorization, consent, callbacks, discovery, JWKS, token issuance, passkey ceremonies, MFA.

## Application Integration

The default application integration is Authorization Code with PKCE.

1. Create a SigID account.
2. Create or select an organization in the dashboard.
3. Create or select a tenant environment.
4. Create an application.
5. Register exact redirect URIs and allowed browser origins.
6. Choose scopes, grant types, login methods, token endpoint auth, and API audience.
7. Fetch OIDC discovery from `https://auth.sigid.org/.well-known/openid-configuration`.
8. Redirect the user to the discovered authorization endpoint with `response_type=code`, `client_id`, exact `redirect_uri`, requested `scope`, PKCE `code_challenge`, `code_challenge_method=S256`, and `state`.
9. On callback, verify `state`, exchange the code once at the token endpoint, and use the registered token endpoint auth method.
10. Validate tokens before creating an app session.
11. Validate access tokens before every protected backend operation.

Resource servers validate signature, issuer, audience, expiry, not-before, tenant, scopes, subject type, and delegation claims. Email is not a stable authorization key. Use the validated `sub` plus tenant context.

## Agent Integration

Agents are first-class principals with canonical SigID identity. Anchors prove control; they do not replace the SigID identity.

Common anchor types:

- ERC-8004
- `did:web`
- `did:key`
- client credentials for legacy/internal agents

Challenge-response flow:

1. Register an agent with public key material and at least one anchor proof.
2. Request a challenge at `/api/v1/agents/auth/challenge`.
3. Sign the exact canonical challenge payload with the registered private key.
4. Submit the signature at `/api/v1/agents/auth/verify`.
5. Use the returned bearer token.
6. Resource servers validate the token like any other SigID access token and enforce agent-specific scopes and subject type.

Public registration routes:

- `/api/v1/agents/auth/register`
- `/api/v1/agents/auth/register/pow`
- `/api/v1/agents/auth/register/pow/complete`

Delegation uses OAuth token exchange. A delegated token carries an `act` claim linking the acting agent to the human or agent it acts for.

## Wallets And x402

Agents can use SigID wallet policy for signing and x402 authorization. SigID checks identity, scopes, delegation, budget, policy, and audit constraints before signing or authorizing payment-related operations. SigID integrates with x402 but does not become a payment processor.

## Pricing

SigID does not charge by monthly active users. Human login, passkey login, wallet sign-in, consent views, OIDC discovery, JWKS reads, and revocation are free.

Auth Credits meter agent authentication, token exchange, delegated access, management API operations, introspection, wallet policy, payment authorization, and signing.

## Security Guidance

Never tell an implementer to:

- handle passwords directly in their app when hosted auth should own the flow
- skip PKCE for interactive login
- use a client secret in browser code
- validate tokens only by decoding the JWT
- key users by email
- ignore tenant context
- treat an agent token as a human session
- log private keys, raw tokens, authorization codes, client secrets, or signatures

Correct guidance is:

- use OIDC discovery
- use Authorization Code with PKCE for user login
- validate all token properties server-side
- enforce scopes and tenant policy at backend boundaries
- use challenge-response for autonomous agents
- use token exchange and `act` for delegated agent access
- keep hosted auth, identity, dashboard, and public content on separate surfaces

## Best URLs

- `https://www.sigid.org/quickstart.md`
- `https://www.sigid.org/developers.md`
- `https://www.sigid.org/agents.md`
- `https://www.sigid.org/answers.md`
- `https://docs.sigid.org/developers/add-login/`
- `https://docs.sigid.org/developers/verify-tokens/`
- `https://docs.sigid.org/developers/agent-auth/`
- `https://docs.sigid.org/developers/registration/`
- `https://docs.sigid.org/reference/oauth-oidc/`