Standard OAuth 2.0 / OpenID Connect — but the product isn’t another login button. It’s a signed verification portfolio (helpdesk passes, interviews, passkeys, consistency) that users consent to share. You decide what evidence is enough; xChk signs what they’ve already built on the platform.
Login with xChk is not enabled on this server.
Add /oauth/playground.html to test grants without deploying a callback.
New apps start unverified — users see a warning on the consent screen until your app is verified (domain proof, business verification). Contact support to verify.
Endpoints for your app:
Loading...
/.well-known/openid-configuration/oauth/authorize/oauth/token/oauth/jwks/oauth/userinfoPublic clients must use PKCE (S256). Exchange codes on your server, not in the browser.