Receiz/Connect/Login with Receiz ID

One identity.
Every login path.

Receiz Connect lets people get into your app with Receiz ID, Receiz Key, Identity Record, and Identity Seal proof. The same person can start anywhere, arrive in your app as the same user, and skip a password-reset funnel entirely.

Proof-native identity first. OIDC + PKCE only for delegated API access. No identity split.

Executive Summary

One integration. One subject. Every login path.

  • No pre-existing account required for end users.
  • Receiz ID account creation is first class.
  • Receiz Key, Identity Record, and Identity Seal recovery restore the same account.
  • Connect tokens authorize scoped API calls after identity proof.
  • The same subject can move across surfaces, custom domains, and external apps.
  • No password database or password reset funnel in your app.
Velocity

Ship proof-native login without password infrastructure. Use Receiz ID artifacts locally and OIDC + PKCE only when delegated API access is needed.

Conversion

Fresh Receiz ID creation, Receiz Key recovery, and Identity Record / Identity Seal login let users enter from the proof they already hold.

Identity Integrity

One user, one subject. Identity artifacts restore the same Receiz account; Connect tokens authorize scoped API calls beneath that proof.

Security Posture

No password hash storage, no password reset flow, and no credential-stuffing exposure in your app.

Exact User Experience
  1. User taps Sign in with Receiz.
  2. Your app verifies Receiz ID, Receiz Key, Identity Record, or Identity Seal proof locally.
  3. Known verified account truth paints immediately.
  4. Receiz continuation publishes global continuity only when needed.
  5. Connect starts only when delegated Receiz API access is needed.
  6. Recovery and PBI binding append to the same Receiz account without identity split.
Capabilities
  • Fresh Receiz ID account creation without password infrastructure.
  • Receiz Key, Identity Record, and Identity Seal account recovery.
  • Stable identity subject projection from verified proof artifacts.
  • Public + confidential OAuth clients with PKCE support.
  • Delegated scopes for record, seal, verify, wallet reads/transfers, online checkout create/read, and offline note mint/claim/download.
  • Wallet + payments endpoints for apps: /api/connect/wallet/me, /api/connect/transfers, /api/connect/payments/checkout, /api/connect/payments/session, and /api/connect/payments/notes/*.
  • Connect tokens authorize scoped API calls after identity proof.
Identity Convergence Matrix
ScenarioReceiz OutcomeDeveloper Rule
New user, Receiz IDReceiz account created from local Receiz ID proof.Store the verified Receiz identity subject as the account root.
Returning user, Identity RecordIdentity image restores the same proof-bearing account.Verify the artifact first; do not rediscover known truth before paint.
Returning user, Receiz KeyReceiz Key restores account proof memory and can publish continuity.Project local truth first; sync additions after the known head.
App needs Receiz API accessConnect grants scoped delegated access after identity proof.Treat tokens as permission, not the identity proof root.
Recovered account binds PBI laterPBI appends account recovery evidence without splitting identity.Bind recovery as an append, not a replacement for Receiz ID proof.
Sign-In Button Starter

Drop in the official button for delegated Connect access, or use the SDK identity helpers for Receiz ID artifact login. Both align with the Receiz identity contract above.

<div
  class="receiz-login-embed"
  data-username="your_receiz_username"
  data-redirect-path="/auth/receiz/callback"
></div>
<script src="https://receiz.com/receiz-login-embed.js" async></script>
Callback Contract

Keep identity mapping strict: key users by verified Receiz identity proof, then use OIDC sub for delegated Connect calls. This prevents account splits across artifact login and API permission paths.

// Callback contract (server side)
// 1) Exchange code for tokens via discovery token_endpoint
// 2) Fetch userinfo
// 3) Upsert local user by profile.sub for delegated Connect access
// 4) Treat email as mutable profile field
// 5) Verify Receiz Key / Identity Record / Identity Seal locally for artifact login
//
// Receiz identity guarantees:
// - Receiz ID, Receiz Key, Identity Record, and Identity Seal are identity proof roots
// - fresh Receiz ID creation does not require password infrastructure
// - Connect is delegated API access after identity proof
// - recovery or PBI binding appends to the same account without identity split
Security and Operations
  • No password credential lifecycle in your stack.
  • Signed Receiz ID continuation proof for global publication.
  • Identity artifact verification before local account projection.
  • Callback URL allow-list controls per OIDC client.
  • Connect scopes stay beneath verified identity proof.
No-Brainer Checklist
  • Zero password-system buildout.
  • Higher conversion with identity artifacts users can already hold.
  • Deterministic identity mapping for clean user tables.
  • Fast integration through SDK proof helpers plus standard OIDC rails.
  • Built-in path to delegated Receiz actions.