Developer Docs

Integrate ZeroDriveX Auth without sharing platform cookies

External apps use authorization codes, exchange them for tokens, and create their own local sessions. ZeroDriveX remains the identity and token authority.

Register a client app

Create a tenant client, store its generated secret safely, then configure exact redirect URIs and allowed origins.

Start login

POST credentials to /api/auth/apps/[clientId]/login and redirect the user to the returned callback URL.

Exchange code

POST the one-time authorization code to /api/oauth/token with the exact redirect_uri and client credentials.

Verify token

Call /api/auth/tokens/verify from your server using AUTH_GATEWAY_SECRET. Never verify privileged access in the browser.

Core flow

POST /api/auth/apps/[clientId]/login
GET  /client/auth/callback?code=...
POST /api/oauth/token
POST /api/auth/tokens/verify
POST /api/auth/tokens/refresh
POST /api/auth/tokens/revoke

Security defaults

Validate redirect URIs exactly.
Validate allowed origins for browser-started login.
Store refresh tokens and client secrets only as hashes.
Verify signature, issuer, audience, exp, jti, DB validity, and revocation state.

Next step

Use the developer guide for a step-by-step production launch path.

Open Developer Guide