Auth

Sign in with Valyd

OAuth 2.0 and OpenID Connect with biometric verification baked in. The same flow your team already knows from "Sign in with Google" — except the human on the other end is provably real, alive, and credentialed.

Overview

Three integration paths, picked by what you already run:

You run	Use	Setup time
A consumer web/mobile app	OAuth 2.0 Authorization Code flow	~30 min
An enterprise platform (Mendix, ServiceNow, Salesforce)	OIDC with auto-discovery	~1 hour
An IdP (Entra, Okta) you want to layer Valyd on top of	Federation as an upstream IdP	~2 hours

OAuth 2.0 Authorization Code flow

The standard 3-legged OAuth dance. If you've integrated Sign in with Google, this is identical apart from the URLs.

1. Redirect the user to Valyd

function signInWithValyd() {
  const params = new URLSearchParams({
    client_id: "YOUR_CLIENT_ID",
    redirect_uri: "https://yourapp.com/auth/callback",
    response_type: "code",
    scope: "openid profile email license:nurse",
  });
  window.location = `https://auth.valyd.id/authorize?${params}`;
}

2. Handle the callback

Valyd redirects back to your redirect_uri with a one-time code. Exchange it for tokens server-side — never expose your client secret in the browser.

const tokens = await valyd.auth.exchangeCode({
  code: req.query.code,
  redirectUri: "https://yourapp.com/auth/callback",
});

const user = await valyd.auth.verifyIdToken(tokens.id_token);

Authorization codes expire fast

Codes are valid for 5 minutes and can only be exchanged once. Always exchange them server-side immediately after the callback.

OIDC integration

For platforms with built-in OIDC support — Mendix, ServiceNow, Salesforce — point them at our discovery endpoint and they auto-configure everything.

GEThttps://auth.valyd.id/.well-known/openid-configuration

Manual configuration

`issuer`	https://auth.valyd.id
`authorization_endpoint`	https://auth.valyd.id/authorize
`token_endpoint`	https://auth.valyd.id/oauth/token
`userinfo_endpoint`	https://api.valyd.id/v1/userinfo
`jwks_uri`	https://auth.valyd.id/.well-known/jwks.json
`id_token_signing_alg`	RS256

Sessions and tokens

Token	Lifetime	Purpose
`id_token`	15 minutes	Signed JWT with verified claims. Use to establish a session in your app.
`access_token`	1 hour	Bearer token for calling Valyd APIs as the user.
`refresh_token`	30 days	Used to obtain a new access token without re-prompting the user.

Federation patterns

Valyd is designed to layer on top of an existing IdP, not replace it. Configure Valyd as a federated IdP in Entra or as a custom MFA factor in Okta. Standard logins flow through your primary IdP unchanged; sensitive workflows trigger a Valyd biometric challenge.

Quick reference

GET/authorize

POST/oauth/token

POST/oauth/refresh

GET/userinfo

Request API access →