ONE LOGIN. THREE EXPLICIT IDS.

IDENTITY,
THAT WORKS.

One sign-in layer for browser, CLI, and device apps. Keep continuity across your products, or give every client its own private user ID.

GOOGLEGITHUBTWITTERCODE + PKCEDEVICE FLOW

ONE LOGIN.
NO IDENTITY GUESSING.

Email is profile data, not a key. Every token names exactly which identity contract it carries.

provider_sub
pid_twitter_5a8f...

Provider-global and correlatable across Triad clients that receive it, without exposing the upstream ID.

account_sub
acc_4da6c809...

Broker-global. Correlates one Triad account across clients.

pairwise_sub
pws_9c0e7b2a...

Stable inside one app. Different client, different identifier.

ASK FOR LESS.
REVEAL LESS.

A client chooses its request. Triad shows the complete list before approval, and shares nothing beyond it.

DEFAULT REQUEST

IDENTITY ONLY

scope=openid

No raw provider ID, email, handle, name, avatar, or provider access token.

OPTIONAL PROFILE SCOPES

email
email + email_verified
handle
preferred_username
name
name
avatar
picture

POINT. REDIRECT. VERIFY.

Authorization Code + mandatory S256 PKCE. ES256 tokens. Standard JWKS.

GET /authorize01 / 03
?client_id=triad-demo
&provider=github
&redirect_uri=http://localhost:4321/demo/callback/
&code_challenge=...
&code_challenge_method=S256
  1. Choose a provider.Triad maps its stable identity, then discards the provider access token.
  2. Exchange once.Your app exchanges the short-lived code with its PKCE verifier.
  3. Verify locally.Check ES256, issuer, audience, and expiry against the published JWKS.

AUTHORIZE
ANOTHER DEVICE.

Show a short code on the device. The user opens Triad in a browser, reviews the connection, and approves it.

OPEN DEVICE VERIFICATION →