IDENTITY ONLY
scope=openidNo raw provider ID, email, handle, name, avatar, or provider access token.
ONE LOGIN. THREE EXPLICIT IDS.
One sign-in layer for browser, CLI, and device apps. Keep continuity across your products, or give every client its own private user ID.
Email is profile data, not a key. Every token names exactly which identity contract it carries.
Provider-global and correlatable across Triad clients that receive it, without exposing the upstream ID.
Broker-global. Correlates one Triad account across clients.
Stable inside one app. Different client, different identifier.
A client chooses its request. Triad shows the complete list before approval, and shares nothing beyond it.
scope=openidNo raw provider ID, email, handle, name, avatar, or provider access token.
OPTIONAL PROFILE SCOPES
Authorization Code + mandatory S256 PKCE. ES256 tokens. Standard JWKS.
?client_id=triad-demo
&provider=github
&redirect_uri=http://localhost:4321/demo/callback/
&code_challenge=...
&code_challenge_method=S256Show a short code on the device. The user opens Triad in a browser, reviews the connection, and approves it.
OPEN DEVICE VERIFICATION →