Signet
Sign in

Guide

Personal auth hub

Deploy this app once, then point every small project at the same admin login. You keep one username, password, second factor, and JWT signing key — consumers only verify the token (or call the verify API) instead of shipping their own credential store.

Typical uses: personal dashboards, internal tools, staging apps, and OAuth-style redirects where you already trust this host.

Agent / MCP

Install Signet MCP

Add this endpoint to Cursor or VS Code so an agent can ask how to integrate third-party login.

CursorVS CodeInsiders
{
  "mcpServers": {
    "signet": {
      "url": "https://signet.davidjones.fun/api/mcp"
    }
  }
}

Built-in tools

TOTP

RFC 6238 time-based codes from any authenticator app.

Generate a Base32 secret, then verify codes on the tool page before enabling login.

Env output

ACCESS_TOTP_SECRET

Open TOTP

WebAuthn

Platform authenticators and roaming security keys.

RP ID must match the deployed hostname. Export the JSON credential and keep TOTP as a fallback.

Env output

ACCESS_WEBAUTHN_SECRET

Register credential

ECDH

Optional encryption for OAuth-style return payloads.

Used when the browser sends an ephemeral public key so only that client can decrypt the session token.

Server secret

ECDH_SERVER_PRIVATE_KEY

Open ECDH

In this guide

Each topic has its own URL so you can bookmark or share it.

First-time setup

Setup path

Follow these in order. Each step points to the page or tool that owns the details.

  1. 1

    Core environment

    Set the admin login and signing secret. Use a 32+ character JWT secret.

    Username

    ACCESS_USERNAME

    Password

    ACCESS_PASSWORD

    Signing key

    JWT_SECRET

    Environment variables
  2. 2

    Choose a second factor

    Add at least one second-factor secret before enabling login.

    TOTP

    ACCESS_TOTP_SECRET

    WebAuthn

    ACCESS_WEBAUTHN_SECRET

    Open TOTPRegister WebAuthn
  3. 3

    Optional encrypted return

    Use this only for encrypted login or OAuth callbacks.

    Server secret

    ECDH_SERVER_PRIVATE_KEY

    Open ECDH
  4. 4

    Callback allowlist

    For cross-origin callbacks, list owned origins. Same-origin relative paths work without an allowlist.

    Allowlist

    ALLOWED_REDIRECT_URLS

    Redirect contract
  5. 5

    Wire the consumer app

    Send users to the login route, then verify the returned token in your app.

    Login

    /login?redirectUrl=...

    JWT

    token

    Verify API

    /api/auth/verify

    Project integration

Why centralize

One place to rotate secrets

JWT signing key and admin password change here; apps only validate tokens.

Stable identity claims

Issued tokens include iss, sub, username, preferred_username, and optional email for your UI.

Safer redirects

Host allowlist blocks open redirects; pair with a random state on each login.

Playground for OAuth

Use /oauth/playground to exercise flows without wiring a separate client first.

Session JWT (what apps should read)

After a successful password / TOTP / WebAuthn path, this service issues a signed JWT. Your callback should treat it like an opaque credential until verified.

Claims you can rely on

authenticated
Must be true for a completed login.
iss
Issuer. Override with OAUTH_ISSUER when you need a stable external identity provider URL.
sub
Stable subject for the configured admin user.
username / preferred_username
Human-readable identity from ACCESS_USERNAME.
email
Included only when ACCESS_EMAIL is set.
iat / exp
Standard time bounds. Session length follows Remember me and JWT_EXPIRES_IN.

Inspect a decoded sample at /login/blank with redirectUrl=/login/blank after configuring env.

Security

Reminders

  • Never ship JWT_SECRET to browsers or public repos
  • Use long random passwords in production; rotate when people leave
  • Only whitelist redirect origins you control; prefer HTTPS for callbacks
  • Keep server time accurate for TOTP (NTP); skew breaks verification
Overview - Getting Started