Receiz/Connect/Login with Receiz ID

One identity.
Every login path.

Receiz Connect lets people get into your app with passkey-first login, magic-link fallback, and no second account. The same person can start anywhere, arrive in your app as the same user, and skip a password-reset funnel entirely.

Standard OIDC + PKCE. No password recovery. No identity split.

Create OIDC ClientDevelopersOfficial Button AssetsLogin Embed Builder
Executive Summary

One integration. One subject. Every login path.

  • No pre-existing account required for end users.
  • Passkey-only onboarding is first class.
  • Email can be linked later with no identity drift.
  • Passkey and email always converge to one OIDC sub.
  • The same subject can move across surfaces, custom domains, and external apps.
  • No password database or password reset funnel in your app.
Velocity

Ship enterprise-grade login without password infrastructure. Use standard OIDC + PKCE with your existing middleware.

Conversion

Passkey-first default with magic-link fallback keeps sign-in completion high across devices and browser capabilities.

Identity Integrity

One user, one subject. Passkey and email always map to one Receiz ID and one OIDC sub across your domain, Receiz, and external apps.

Security Posture

No password hash storage, no password reset flow, and no credential-stuffing exposure in your app.

Exact User Experience
  1. User taps Sign in with Receiz.
  2. Receiz starts passkey ceremony by default.
  3. If passkey succeeds, user signs in instantly.
  4. If passkey is unavailable, user can continue with email magic-link.
  5. If user is new, Receiz creates account on first successful login.
  6. If user already exists, both methods resolve to the same Receiz ID.
Capabilities
  • Passkey-first login with WebAuthn platform authenticators.
  • Magic-link fallback with automatic account provisioning.
  • Stable OIDC subject mapping across login method switches.
  • Public + confidential OAuth clients with PKCE support.
  • Delegated scopes for record, seal, verify, wallet reads/transfers, online checkout create/read, and offline note mint/claim/download.
  • Wallet + payments endpoints for apps: /api/connect/wallet/me, /api/connect/transfers, /api/connect/payments/checkout, /api/connect/payments/session, and /api/connect/payments/notes/*.
  • One account from first successful login.
Identity Convergence Matrix
ScenarioReceiz OutcomeDeveloper Rule
New user, passkey onlyReceiz account auto-created with passkey identity.Store profile.sub as permanent app user key.
New user, email magic-linkReceiz account auto-created from email login.Same sub-first mapping rule.
Existing email user adds passkeyPasskey binds to same account. No split identity.Do not fork by email. Continue by sub.
Existing passkey user adds email laterEmail links to same account and signs into same subject.Treat email as mutable profile value.
Recipient signs from Receiz email linkLogin session is created inline. Missing account is provisioned.First callback may be first-seen sub. Upsert user.
Sign-In Button Starter

Drop in the official button and launch OIDC Authorization Code + PKCE. This starter is production-safe and aligns with the Receiz identity contract above.

<div
  class="receiz-login-embed"
  data-username="your_receiz_username"
  data-redirect-path="/auth/receiz/callback"
></div>
<script src="https://receiz.com/receiz-login-embed.js" async></script>
Callback Contract

Keep identity mapping strict: key users by OIDC sub, not email. This prevents account splits across passkey and magic-link login paths.

// Callback contract (server side)
// 1) Exchange code for tokens via discovery token_endpoint
// 2) Fetch userinfo
// 3) Upsert local user by profile.sub (stable key)
// 4) Treat email as mutable profile field
// 5) Create local app user if sub is first-seen
//
// Receiz identity guarantees:
// - passkey and magic-link converge to one subject
// - first successful login auto-creates Receiz account
// - passkey-only onboarding is supported
// - email can be linked later without identity split
Security and Operations
  • No password credential lifecycle in your stack.
  • Short-lived magic-links for replay-window reduction.
  • Passkey user verification via device biometrics or PIN.
  • Callback URL allow-list controls per OIDC client.
  • Identity convergence prevents duplicate-account drift.
No-Brainer Checklist
  • Zero password-system buildout.
  • Higher conversion with passkey default and fallback path.
  • Deterministic identity mapping for clean user tables.
  • Fast integration on standard OIDC rails.
  • Built-in path to delegated Receiz actions.
Launch Connect ConsoleOIDC Discovery