Authentiq8 Me Integration Guide

Secure OAuth 2.0 and OpenID Connect (OIDC) integration for your custom website

Overview

This document explains how to integrate Authentiq8 Me as a login provider for your custom website using the OAuth 2.0 and OpenID Connect (OIDC) standard. Users will authenticate via Authentiq8 Me and your website will receive an ID token containing user details.

Users authenticate via Authentiq8 Me and your website receives verified user data without handling passwords.

Key Benefits

  • No passwords to store or manage
  • Biometric protection via the Authentiq8 Me app
  • OpenID Connect compliant → works with many existing tools
  • Future-ready for SSO and MFA integrations

Integration Steps

1

Register Your Website or App as a Client

Login to your Authentiq8 Me control panel to register your website as an OAuth client. You'll receive the following credentials:

  • Client ID (e.g. fd9727a6-f5c8-a7fe-9ca9-82118e841031)
  • Client Secret (keep this secure!)
  • Allowed Redirect URI(s) (e.g. https://yoursite.com/oauth/callback.php)

Pro Tip

Make sure your redirect URIs are exact matches. Even a trailing slash can cause authentication to fail.

2

Construct the Authorization URL

When the user clicks "Login with Authentiq8 Me," redirect them to Authentiq8 Me's authorization endpoint: 

https://api.authentiq8.me/oauth/authorize.php
Parameter Example Notes
client_id your client ID From registration
response_type code Required for OAuth flow
scope openid email profile phone Only request data you truly need
redirect_uri your callback URL Must exactly match what's registered
state random string CSRF protection

Example URL:

https://api.authentiq8.me/oauth/authorize.php?
  client_id=fd9727a6-f5c8-a7fe-9ca9-82118e841031&
  response_type=code&
  scope=openid%20email%20profile%20phone&
  redirect_uri=https%3A%2F%2Fyoursite.com%2Foauth%2Fcallback.php&
  state=xyzABC123

Security Note

Always include the state parameter to prevent CSRF attacks. Generate a unique, unpredictable value for each request.

Scope Best Practices

Only request the scopes you absolutely need. More scopes may lead to lower user consent rates.

3

User Authenticates

The user completes the following authentication flow:

1. Email Entry

User enters their email address

2. Push Notification

User receives a push notification from Authentiq8 Me

3. Biometric Approval

User approves login via biometrics/PIN

After successful authentication, Authentiq8 Me redirects the user back to your specified callback URL with an authorization code: 

https://yoursite.com/oauth/callback.php?code=XXXX&state=xyzABC123

Mobile Experience

If the user has the Authentiq8 Me app installed on their device, they'll be seamlessly redirected to the app for authentication.

Code Expiry

The authorization code is short-lived (typically 5-10 minutes). Your backend should exchange it for tokens immediately.

4

Exchange the Code for Tokens

Your backend now makes a POST request to the token endpoint to exchange the authorization code for tokens: 

https://api.authentiq8.me/oauth/token.php
Parameter Value
client_id your client ID
client_secret your client secret
code the authorization code from step 3
redirect_uri must match the one used earlier

Example php request:

<?php

$url = 'https://api.authentiq8.me/oauth/token.php';

$data = [
    'client_id' => 'fd9727a6-f5c8-a7fe-9ca9-82118e841031',
    'client_secret' => 'YOUR_SECRET',
    'code' => 'XXXXXX',
    'redirect_uri' => 'https://yoursite.com/oauth/callback.php'
];

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

echo $response;

Example response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Critical Security

This step must be performed server-to-server. Never include your client_secret in client-side code or expose it to end users.

Token Types

  • ID Token: Contains user claims (JWT)
  • Access Token: For API calls (if needed)
5

Validate and Decode the ID Token

The ID Token is a JWT signed with RS256. You must validate:

Signature

Verify using Authentiq8 Me's public keys

Audience

Must match your client_id

Issuer

Must match https://api.authentiq8.me/oauth

Expiration

Token must not be expired

Authentiq8 Me JWKS endpoint for public keys:

https://api.authentiq8.me/oauth/.well-known/jwks.php

Example decoded ID Token payload:

{
  "sub": "2aed8987-d590-861d-cf52-92d95d115986",
  "email": "joe@aq8.me",
  "name": "Joe Styles",
  "iat": 1751031077,
  "exp": 1751034677,
  "iss": "https://api.authentiq8.me/oauth"
}

Validation Libraries

Use established JWT libraries for your programming language to handle validation:

  • JavaScript: jsonwebtoken
  • Java: jjwt
  • Python: PyJWT
  • .NET: System.IdentityModel.Tokens.Jwt
6

Use the User Data

After successful validation, you can use the claims from the ID token to:

Log the user in

Create a session for the authenticated user

Create new account

If this is the user's first login

Store claims

Save needed user data (e.g. email, name)

The sub claim is the stable unique identifier for the user. Use this rather than email for mapping users in your system.

User Matching

Match returning users by the sub claim rather than email, as emails can change.

Email Verification

The email in the ID token is already verified by Authentiq8 Me. No additional verification needed.

7

Handle Partial Consent

Users may decline to share some requested information. Your application should handle these cases gracefully:

  • Declined claims may be omitted from the ID token or set as null
  • Implement null checks for all claims your application depends on
  • Provide alternative flows for users who decline essential information

Never deny access solely because optional claims are missing. Only enforce requirements for truly essential data.

Privacy Considerations

Respect user privacy by only requesting data you absolutely need and clearly explaining why each piece of information is required.

Progressive Profiling

Consider collecting non-essential user data later in your application flow rather than at initial login.

Security & Compliance

Must Do

  • Always validate the ID token signature
  • Always verify the state value matches your original request
  • Use HTTPS for all endpoints
  • Limit scopes to only what your site truly needs

Avoid

  • Storing client_secret in client-side code
  • Using insecure redirect URIs (http:// or wildcards)
  • Requesting unnecessary user data
  • Assuming all requested claims will be provided

Example Workflow

1

User clicks "Login with Authentiq8 Me"

Your website initiates the flow

2

Redirect to authorization endpoint

User is sent to Authentiq8 Me

3

User approves via app

Using biometrics or PIN

4

Authentiq8 Me redirects back with code

To your callback URL

5

Exchange code for id_token

Server-to-server request

6

Decode token → log user in

Create session with user data

Need Help?

Email Support

Get help from our technical team

support@authentiq8.me