Simple, Drop-in Passwordless Authentication

One magic link.
No passwords.

Signonix converts unknown visitors into verified users with a single click.
Simple, fast, and safe.

A

Drop‑in (Frontend‑only)

We redirect back with an authenticated identifier in the URL fragment (#sx_assert=… for signed, or #sx_email=… in plain mode) and our tiny SDK reads it and caches it for your page. No server work needed. 

<script src="/lite.js" defer></script>
<script>
(async () => {
  await window.Signonix.ready;                 // consumes #sx_* and sets a short‑lived cookie
  const email = window.Signonix.getEmail();    // "michael@weberai.com" if recently authenticated
  if (email) document.body.classList.add('authed');
  // gate UI or personalize:
  document.getElementById('who')?.append(email ?? 'guest');
})();
</script>

Great for gating pages, personalizing, or soft sign‑ins.

B

Backend (Token Exchange)

After login, we redirect back with a short‑lived #signonix=<ticket>. Your server POSTs that ticket to /auth/exchange to receive a signed assertion JWT, verifies it, and sets your own session. 

// Frontend: grab the ticket and send to your backend
const t = new URLSearchParams(location.hash.slice(1)).get('signonix');
if (t) await fetch('/api/session/start', { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify({ ticket:t }) });

// Backend: redeem the ticket (Node/Express-ish)
app.post('/api/session/start', async (req,res) => {
  const r = await fetch('https://signonix.com/auth/exchange', {
    method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify({ ticket:req.body.ticket })
  });
  const j = await r.json(); // { assertion_jwt, email, tenant, iat }
  // Option 1: let Signonix validate for you:
  // const v = await fetch('https://signonix.com/auth/assert/validate', { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify({ assertion: j.assertion_jwt }) }).then(r=>r.json());
  // Option 2: verify Ed25519 JWT using our JWKS at /.well-known/jwks.json
  // After verifying, set your own session cookie…
  res.json({ ok:true });
});

Best for durable sessions, API auth, and multi‑app SSO.

Quick start — Link to hosted sign‑in

<a href="/login.html?tenant=default&return=https://your-site.com/account">Sign in</a>
  • Drop‑in: include /lite.js and call Signonix.getEmail() after redirect.
  • Backend: read #signonix ticket and POST to /auth/exchange from your server.

Visual flow

Signonix flow preview (login → email → return)
Swap this for a 6–10s loop of the magic‑link flow.

Allow‑list return domains per tenant for safety.

Under the hood

1

Login at /login.html (email + code). We set a secure session cookie.

2

Return to your site either with #sx_assert/#sx_email (drop‑in) or a #signonix ticket (exchange).

3

Verify: frontend SDK reads the identifier, or your backend redeems & verifies the assertion JWT.

Drop‑in demo Code entry