OAuth 2.0 Authorization Server

The Auth Layer for LoopingBinary Developers

Add "Sign in with LoopingBinary" to your app in minutes. Secure OAuth 2.0, passwordless authentication, and a single unified identity across the entire LoopingBinary ecosystem.

OAuth 2.0 Compliant
Passwordless Auth
Cross-Subdomain SSO
JWT Tokens

Everything you need to ship auth

A complete identity platform. No passwords, no friction, no headaches.

Industry-Standard Security

Full OAuth 2.0 authorization code flow with PKCE support. CSRF protection via state parameter. All traffic over HTTPS.

Passwordless by Default

Users receive a secure 6-digit code via email. No passwords to store, rotate, or breach. Login in seconds.

Unified SSO

Cross-subdomain cookies keep users signed in across all LoopingBinary services automatically.

User + Wallet Auto-created

Registration creates both the user account and a linked wallet. Everything your app needs, out of the box.

Developer First

Clean REST APIs, comprehensive examples, and a dedicated Developer Console on app.loopingbinary.com.

Zero CORS Headaches

All auth endpoints are on auth.loopingbinary.com. Call from any origin with credentials: "include".

Get started free

Build on LoopingBinary today

Head to app.loopingbinary.com, create your developer account, register your OAuth client, and drop "Sign in with LoopingBinary" into your app within the hour.

Go to Developer Console

Quick Start

Integrate OAuth in three steps.

1

Register Your Application

Visit the Developer Console, create an OAuth client, and copy your client_id and client_secret.

Open Developer Console
2

Redirect Users to Authorization

Send users to the authorization endpoint. They authenticate and are redirected back to your app with an authorization code.

const authUrl = `https://auth.loopingbinary.com/oauth/authorize?
  client_id=${clientId}&
  redirect_uri=${encodeURIComponent(callbackUrl)}&
  response_type=code&
  scope=read%20profile&
  state=${randomState}`;

window.location.href = authUrl;
3

Exchange Code for Token

On your backend only, exchange the code for an access token. Never do this in client-side code.

// Backend only!
const response = await fetch('https://app.loopingbinary.com/api/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: authorizationCode,
    redirect_uri: callbackUrl,
    client_id: process.env.LB_CLIENT_ID,
    client_secret: process.env.LB_CLIENT_SECRET,
  }),
});

API Reference

All authentication endpoints live on auth.loopingbinary.com. Token exchange and user info endpoints live on app.loopingbinary.com.

Authentication API

POSThttps://auth.loopingbinary.com/api/auth/login/init

Initiate passwordless login by sending a 6-digit code to user's email. All authentication endpoints are hosted on auth.loopingbinary.com to avoid CORS issues.

Request Body

{
  "email": "user@example.com"
}

Response

{
  "message": "Login code sent to your email",
  "emailSent": true,
  "expiresInMinutes": 10,
  "code": "123456"
}

Example

fetch('https://auth.loopingbinary.com/api/auth/login/init', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  credentials: 'include', // Important: include cookies
  body: JSON.stringify({
    email: 'user@example.com'
  })
})
POSThttps://auth.loopingbinary.com/api/auth/login/verify

Verify the 6-digit code and receive authentication token. Sets cross-subdomain cookie automatically.

Request Body

{
  "email": "user@example.com",
  "code": "123456"
}

Response

{
  "token": "jwt_token_here",
  "user": {
    "id": "user_uuid",
    "email": "user@example.com",
    "fullName": "John Doe",
    "role": "USER",
    "roles": [
      "USER"
    ],
    "status": "ACTIVE"
  }
}

Example

fetch('https://auth.loopingbinary.com/api/auth/login/verify', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  credentials: 'include', // Important: include cookies
  body: JSON.stringify({
    email: 'user@example.com',
    code: '123456'
  })
})
POSThttps://auth.loopingbinary.com/api/auth/login/resend

Resend login code if user didn't receive it or it expired.

Request Body

{
  "email": "user@example.com"
}

Response

{
  "message": "Login code resent to your email",
  "emailSent": true
}

Example

fetch('https://auth.loopingbinary.com/api/auth/login/resend', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  credentials: 'include',
  body: JSON.stringify({
    email: 'user@example.com'
  })
})
POSThttps://auth.loopingbinary.com/api/auth/register

Register a new user account (passwordless). Creates user and wallet automatically.

Request Body

{
  "email": "user@example.com",
  "fullName": "John Doe",
  "role": "USER"
}

Response

{
  "emailSent": true,
  "email": "user@example.com"
}

Example

fetch('https://auth.loopingbinary.com/api/auth/register', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  credentials: 'include',
  body: JSON.stringify({
    email: 'user@example.com',
    fullName: 'John Doe'
  })
})

OAuth 2.0 Endpoints

GEThttps://auth.loopingbinary.com/oauth/authorize

Authorization consent screen - redirect users here to start OAuth flow

Query Parameters

client_idstringrequired,Your OAuth client ID
redirect_uristringrequired,Your registered callback URL
response_typestringrequired,Must be "code"
scopestring,Space-separated scopes (e.g., "read profile")
statestring,CSRF protection token

Example

https://auth.loopingbinary.com/oauth/authorize?client_id=lb_xxx&redirect_uri=https://yourapp.com/callback&response_type=code&scope=read%20profile&state=xyz123
POSThttps://app.loopingbinary.com/api/oauth/token

Exchange authorization code for access token (call from your backend)

Request Body

{
  "grant_type": "authorization_code",
  "code": "authorization_code_from_callback",
  "redirect_uri": "https://yourapp.com/callback",
  "client_id": "your_client_id",
  "client_secret": "your_client_secret"
}

Example

fetch('https://app.loopingbinary.com/api/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: 'auth_code_here',
    redirect_uri: 'https://yourapp.com/callback',
    client_id: 'your_client_id',
    client_secret: 'your_client_secret'
  })
})
GEThttps://app.loopingbinary.com/api/oauth/userinfo

Get user information using access token

Headers

{
  "Authorization": "Bearer {access_token}"
}

Example

fetch('https://app.loopingbinary.com/api/oauth/userinfo', {
  headers: {
    'Authorization': 'Bearer your_access_token'
  }
})

Security Best Practices

  • All auth API calls go to auth.loopingbinary.com ,no CORS issues.
  • OAuth authorization happens on auth.loopingbinary.com; token exchange on app.loopingbinary.com.
  • Tokens are set as cross-subdomain cookies (.loopingbinary.com) automatically.
  • Never expose your client_secret in frontend or client-side code.
  • Always validate the state parameter to prevent CSRF attacks.
  • Use HTTPS for all redirect URIs in production.
  • Always pass credentials: "include" in fetch calls to send cookies.