Receiz/Connect/Login with Receiz ID

Passwordless auth,
enterprise-ready.

Receiz Connect gives your app passkey-first login with magic-link fallback, automatic account creation, and one stable identity subject. It is a standard OIDC + PKCE integration that removes password infrastructure and keeps identity mapping deterministic.

This is the full contract for how Login with Receiz ID behaves in production for new users, existing users, and cross-method login transitions.

Create OIDC ClientDevelopersOfficial Button Assets
Executive Summary

One integration. One subject. Every login path.

  • No pre-existing account required for end users.
  • Passkey-only onboarding is first class.
  • Email can be linked later with no identity drift.
  • Passkey and email always converge to one OIDC sub.
  • No password database or password reset funnel in your app.
Velocity

Ship enterprise-grade login without password infrastructure. Use standard OIDC + PKCE with your existing middleware.

Conversion

Passkey-first default with magic-link fallback keeps sign-in completion high across devices and browser capabilities.

Identity Integrity

One user, one subject. Passkey and email always map to one Receiz ID and one OIDC sub.

Security Posture

No password hash storage, no password reset flow, no credential stuffing surface in your app.

Exact User Experience
  1. User taps Sign in with Receiz.
  2. Receiz starts passkey ceremony by default.
  3. If passkey succeeds, user signs in instantly.
  4. If passkey is unavailable, user can continue with email magic-link.
  5. If user is new, Receiz creates account on first successful login.
  6. If user already exists, both methods resolve to the same Receiz ID.
Capabilities
  • Passkey-first login with WebAuthn platform authenticators.
  • Magic-link fallback with automatic account provisioning.
  • Stable OIDC subject mapping across login method switches.
  • Public + confidential OAuth clients with PKCE support.
  • Delegated scopes for record, seal, verify, live wallet reads, and transfers.
  • Wallet endpoints for apps: /api/connect/wallet/me and /api/connect/transfers.
  • Receiz account/profile continuity from first successful login.
Identity Convergence Matrix
ScenarioReceiz OutcomeDeveloper Rule
New user, passkey onlyReceiz account auto-created with passkey identity.Store profile.sub as permanent app user key.
New user, email magic-linkReceiz account auto-created from email login.Same sub-first mapping rule.
Existing email user adds passkeyPasskey binds to same account. No split identity.Do not fork by email. Continue by sub.
Existing passkey user adds email laterEmail links to same account and signs into same subject.Treat email as mutable profile value.
Recipient signs from Receiz email linkLogin session is created inline. Missing account is provisioned.First callback may be first-seen sub. Upsert user.
Sign-In Button Starter

Drop in the official button and launch OIDC Authorization Code + PKCE. This starter is production-safe and aligns with the Receiz identity contract above.

<button id="receiz-signin" type="button" class="receiz-signin-btn">
  <img src="https://receiz.com/sign-in-with-receiz.svg" alt="Sign in with Receiz" width="240" height="44" />
</button>

<style>
  .receiz-signin-btn {
    border: 0;
    background: transparent;
    padding: 0;
    line-height: 0;
    cursor: pointer;
  }
  .receiz-signin-btn img {
    display: block;
    width: 240px;
    height: 44px;
  }
</style>

<script type="module">
  const issuer = "https://receiz.com";
  const clientId = "YOUR_RECEIZ_CLIENT_ID";
  const redirectUri = "https://your-app.com/auth/receiz/callback";
  const scope =
    "openid profile email offline_access receiz:record receiz:seal receiz:verify receiz:wallet.read receiz:wallet.transfer";

  const b64u = (bytes) =>
    btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");

  async function createPkce() {
    const verifierBytes = crypto.getRandomValues(new Uint8Array(32));
    const verifier = b64u(verifierBytes);
    const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
    const challenge = b64u(new Uint8Array(digest));
    return { verifier, challenge };
  }

  document.getElementById("receiz-signin")?.addEventListener("click", async () => {
    const discovery = await fetch(`${issuer}/.well-known/openid-configuration`).then((r) => r.json());
    const { verifier, challenge } = await createPkce();
    const state = crypto.randomUUID();
    const nonce = crypto.randomUUID();

    sessionStorage.setItem("receiz:pkce_verifier", verifier);
    sessionStorage.setItem("receiz:state", state);
    sessionStorage.setItem("receiz:nonce", nonce);

    const auth = new URL(discovery.authorization_endpoint);
    auth.searchParams.set("response_type", "code");
    auth.searchParams.set("client_id", clientId);
    auth.searchParams.set("redirect_uri", redirectUri);
    auth.searchParams.set("scope", scope);
    auth.searchParams.set("state", state);
    auth.searchParams.set("nonce", nonce);
    auth.searchParams.set("code_challenge", challenge);
    auth.searchParams.set("code_challenge_method", "S256");
    location.assign(auth.toString());
  });
</script>
Callback Contract

Keep identity mapping strict: key users by OIDC sub, not email. This prevents account splits across passkey and magic-link login paths.

// Callback contract (server side)
// 1) Exchange code for tokens via discovery token_endpoint
// 2) Fetch userinfo
// 3) Upsert local user by profile.sub (stable key)
// 4) Treat email as mutable profile field
// 5) Create local app user if sub is first-seen
//
// Receiz identity guarantees:
// - passkey and magic-link converge to one subject
// - first successful login auto-creates Receiz account
// - passkey-only onboarding is supported
// - email can be linked later without identity split
Security and Operations
  • No password credential lifecycle in your stack.
  • Short-lived magic-links for replay-window reduction.
  • Passkey user verification via device biometrics or PIN.
  • Callback URL allow-list controls per OIDC client.
  • Identity convergence prevents duplicate-account drift.
No-Brainer Checklist
  • Zero password-system buildout.
  • Higher conversion with passkey default and fallback path.
  • Deterministic identity mapping for clean user tables.
  • Fast integration on standard OIDC rails.
  • Built-in path to delegated Receiz actions.
Launch Connect ConsoleOIDC Discovery