LoopingBinary Auth
OAuth 2.0 Authorization Server
LoopingBinary OAuth API
Secure OAuth 2.0 authentication for third-party applications. Enable "Sign in with LoopingBinary" in your app.
Secure
OAuth 2.0 compliant with industry-standard security
Fast
Subdomain isolation for optimal performance
Isolated Sessions
No cookie conflicts with main application
Quick Start
Register Your Application
Go to Developer Console and create an OAuth client. You'll receive a client_id and client_secret.
Redirect Users to Authorization
Redirect users to https://auth.loopingbinary.com/oauth/authorize with your client ID and callback URL.
const authUrl = `https://auth.loopingbinary.com/oauth/authorize?
client_id=${clientId}&
redirect_uri=${encodeURIComponent(callbackUrl)}&
response_type=code&
scope=read profile&
state=${randomState}`;
window.location.href = authUrl;Exchange Code for Token
On your backend, exchange the authorization code for an access token. Never do this in frontend code!
// Backend only!
const response = await fetch('https://app.loopingbinary.com/api/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
grant_type: 'authorization_code',
code: authorizationCode,
redirect_uri: callbackUrl,
client_id: process.env.LB_CLIENT_ID,
client_secret: process.env.LB_CLIENT_SECRET
})
});Authentication API
All authentication endpoints are hosted on auth.loopingbinary.com to ensure no CORS issues. These endpoints use the same database as the main application and automatically set cross-subdomain cookies for seamless authentication.
https://auth.loopingbinary.com/api/auth/login/initInitiate passwordless login by sending a 6-digit code to user's email. All authentication endpoints are hosted on auth.loopingbinary.com to avoid CORS issues.
Request Body:
{
"email": "user@example.com"
}Response:
{
"message": "Login code sent to your email",
"emailSent": true,
"expiresInMinutes": 10,
"code": "123456"
}Example:
fetch('https://auth.loopingbinary.com/api/auth/login/init', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
credentials: 'include', // Important: include cookies
body: JSON.stringify({
email: 'user@example.com'
})
})https://auth.loopingbinary.com/api/auth/login/verifyVerify the 6-digit code and receive authentication token. Sets cross-subdomain cookie automatically.
Request Body:
{
"email": "user@example.com",
"code": "123456"
}Response:
{
"token": "jwt_token_here",
"user": {
"id": "user_uuid",
"email": "user@example.com",
"fullName": "John Doe",
"role": "USER",
"roles": [
"USER"
],
"status": "ACTIVE"
}
}Example:
fetch('https://auth.loopingbinary.com/api/auth/login/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
credentials: 'include', // Important: include cookies
body: JSON.stringify({
email: 'user@example.com',
code: '123456'
})
})https://auth.loopingbinary.com/api/auth/login/resendResend login code if user didn't receive it or it expired.
Request Body:
{
"email": "user@example.com"
}Response:
{
"message": "Login code resent to your email",
"emailSent": true
}Example:
fetch('https://auth.loopingbinary.com/api/auth/login/resend', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
credentials: 'include',
body: JSON.stringify({
email: 'user@example.com'
})
})https://auth.loopingbinary.com/api/auth/registerRegister a new user account (passwordless). Creates user and wallet automatically.
Request Body:
{
"email": "user@example.com",
"fullName": "John Doe",
"role": "USER"
}Response:
{
"emailSent": true,
"email": "user@example.com"
}Example:
fetch('https://auth.loopingbinary.com/api/auth/register', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
credentials: 'include',
body: JSON.stringify({
email: 'user@example.com',
fullName: 'John Doe'
})
})OAuth API Endpoints
OAuth authorization endpoints are on auth.loopingbinary.com, while token exchange and user info endpoints are on app.loopingbinary.com.
https://auth.loopingbinary.com/oauth/authorizeAuthorization consent screen - redirect users here to start OAuth flow
Query Parameters:
client_id(string)*- Your OAuth client IDredirect_uri(string)*- Your registered callback URLresponse_type(string)*- Must be "code"scope(string)- Space-separated scopes (e.g., "read profile")state(string)- CSRF protection tokenExample:
https://auth.loopingbinary.com/oauth/authorize?client_id=lb_xxx&redirect_uri=https://yourapp.com/callback&response_type=code&scope=read%20profile&state=xyz123https://app.loopingbinary.com/api/oauth/tokenExchange authorization code for access token (call from your backend)
Request Body:
{
"grant_type": "authorization_code",
"code": "authorization_code_from_callback",
"redirect_uri": "https://yourapp.com/callback",
"client_id": "your_client_id",
"client_secret": "your_client_secret"
}Example:
fetch('https://app.loopingbinary.com/api/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
grant_type: 'authorization_code',
code: 'auth_code_here',
redirect_uri: 'https://yourapp.com/callback',
client_id: 'your_client_id',
client_secret: 'your_client_secret'
})
})https://app.loopingbinary.com/api/oauth/userinfoGet user information using access token
Headers:
{
"Authorization": "Bearer {access_token}"
}Example:
fetch('https://app.loopingbinary.com/api/oauth/userinfo', {
headers: {
'Authorization': 'Bearer your_access_token'
}
})Important Notes
- • Authentication API: All auth endpoints (
/api/auth/*) are onhttps://auth.loopingbinary.com- no CORS issues! - • OAuth Authorization: Use
https://auth.loopingbinary.comfor authorization flows - • Token Exchange: Use
https://app.loopingbinary.comfor token exchange and user info - • Cookies: Authentication tokens are automatically set as cross-subdomain cookies (
.loopingbinary.com) - • Never expose your
client_secretin frontend code - • Always validate the
stateparameter to prevent CSRF attacks - • Use HTTPS for all redirect URIs
- • Include credentials: Always use
credentials: 'include'in fetch requests to send cookies