IndieAuth

OAuth for the open web

IndieAuth is a decentralized identity protocol built on top of OAuth 2.0.

This allows individual websites like someone's WordPress, Mastodon, or Gitea server to become its own identity provider, and can be used to sign in to other instances. Both users and applications are identified by URLs, avoiding the need for getting API keys or making new accounts.

Read more about how IndieAuth solves OAuth for the open web.

Read the Spec

The latest version of the IndieAuth spec is available at:

indieauth.spec.indieweb.org

Read the details about the 2020 spec updates

The January 2018 published version is also available at:

w3.org/TR/indieauth

Logging in with IndieAuth

You can use IndieAuth to have your users authenticate with their own URL. Logging in to an app with IndieAuth tells the app who has logged in, where the user ID returned is a URL controlled by the user.

Read the Spec

Tutorial: How to Sign Users In with IndieAuth

Obtaining an OAuth 2.0 Access Token with IndieAuth

If you're building an application that wants to access or modify a user's data, you'll need an OAuth 2.0 access token to use in API requests.

You can use IndieAuth to obtain an access token from the user's own token endpoint, while identifying them in the process.

Obtaining an Access Token

Choosing an IndieAuth Provider

In order to log in to apps that use IndieAuth, you'll need to tell these apps where your IndieAuth endpoints live. You can either delegate your domain to an external IndieAuth provider, run an IndieAuth provider yourself, or your IndieAuth provider may already be part of the same software that runs your website.

Self-Hosted IndieAuth Providers

Software with a Built-In IndieAuth Provider

Services with Built-In IndieAuth Support

Public IndieAuth Providers

Frequently Asked Questions

How is IndieAuth different from OpenID Connect?

See indieweb.org/How_is_IndieAuth_different_from_OpenID_Connect