ZDX Auth

Get Started

Launch a customer app with ZDX Auth

Follow the production path from tenant setup to verified server-side access checks.

Why this exists

Cross-domain auth is where most implementations fail

You cannot reliably share cookies across domains. You cannot trust frontend state. Getting password login, one-time callback codes, server-side exchange, token verification, refresh, and revoke right takes real effort.

Many teams spend days or weeks trying to connect separate apps and auth domains correctly.

ZDX Auth gives you a working foundation immediately: your app sends credentials to ZDX Auth, exchanges one-time codes server-side, creates its own session, and verifies access through protected routes.

01

Create tenant

Organize customer apps, memberships, roles, client apps, API keys, and billing context under a tenant.

02

Create client app

Generate a client ID and secret. Store the secret server-side and never expose it in browser code.

03

Add redirect URI

Register the exact callback URL your app will use, such as https://app.example.com/auth/callback.

04

Start password login

POST user credentials to /api/auth/apps/[clientId]/login and send the user to the returned redirect_url.

05

Verify tokens server-side

Use server-to-server verification with AUTH_GATEWAY_SECRET before granting access in your application.

06

Go live

Check plan limits, token verification volume, refresh/revoke flows, and runtime logs before production launch.

Copy/paste login action

Start app password login

Your app posts email and password to ZDX Auth, then redirects to the callback URL returned by the login route.

const response = await fetch("https://auth.zerodrivex.com/api/auth/apps/YOUR_CLIENT_ID/login", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    email,
    password,
    redirect_uri: "https://your-app.com/auth/callback",
    origin: "https://your-app.com",
    state: crypto.randomUUID()
  })
});

const { redirect_url } = await response.json();
window.location.href = redirect_url;

Copy/paste verify helper

Validate tokens from your server

Token verification is intentionally server-to-server and protected by the gateway secret.

await fetch("https://auth.zerodrivex.com/api/auth/tokens/verify", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    Authorization: `Bearer ${process.env.AUTH_GATEWAY_SECRET}`
  },
  body: JSON.stringify({ token: accessToken })
});

Want guided setup?

Use the onboarding assistant to review redirect URIs, origins, and password-login callback implementation.

Start Onboarding