Identity and Login

Unified login target

TokenDance ID is the identity authority for the TokenDance product family. GitHub, Google, Feishu/Lark, and other third-party providers are owned by TokenDance ID; products consume TokenDance ID OIDC.

Recommended login flow

• Browser products use Authorization Code + PKCE.
• Server-side token consumers must validate issuer, audience, signature, expiry, and JWKS key id.
• Static websites keep only low-risk profile personalization and do not store access tokens, ID tokens, or refresh tokens.
• Product backends may issue their own product sessions and enforce roles, resources, and actions locally.

Product responsibilities

• Products may own local sessions and product authorization.
• Products should not add direct third-party OAuth apps.
• Website browser sessions are low-risk personalization only, not backend authorization.
• Gateway API keys and TokenDance ID login must stay separate in docs and UI copy.

Who should integrate

• New apps inside the TokenDance product family should integrate as TokenDance ID OIDC relying parties.
• Products may own their own sessions, roles, resource permissions, and API key boundaries.
• Third-party GitHub, Google, and Feishu/Lark OAuth apps are owned by TokenDance ID; product apps should not create separate provider integrations.
• Static websites use low-risk personalization only. High-trust API authorization must be validated by the product backend.

Not promised

• TokenDance ID access tokens are not TokenDance Gateway API keys.
• Website login state does not replace AgentHub Hub Server or Gateway backend authorization.
• Public docs do not record client secrets, admin keys, callback error details, or private user data.
• Admin UX, provider UX, and organization-level self-service configuration are still being improved.

Product integration checklist

OIDC public endpoints