Choose a path
Quick Ave
Add sign-in without registering an app. Use it for prototypes, internal tools, and the first version of an integration.
Registered OAuth
Register an app when you need PKCE, refresh tokens, app branding, configured redirect URIs, or a confidential client.
What Ave includes
Convex integration
Use Ave as a Convex OIDC provider and keep Convex supplied with fresh ID tokens.
Connector delegation
Let one app request scoped access to another Ave-registered resource on a user’s behalf.
Signing
Request identity-backed Ed25519 signatures for approvals that need a verifiable user action.
End-to-end encryption
Deliver per-app, per-identity encryption keys without exposing plaintext key material to the server.
Hosts
Ave uses separate hosts for sign-in, API calls, and organization administration. Keep the sign-in and API hosts separate in your integration.| Host | Use it for |
|---|---|
https://aveid.net | Sign-in UI, Connector consent, OIDC discovery, JWKS |
https://api.aveid.net | Token exchange, userinfo, signing, management, API calls |
https://business.aveid.net | Business organization membership, org key grants, verified domains, and SSO setup |
How to get started
Try Quick Ave first
Quick Ave gives you origin-based auth without a dashboard, client ID, or redirect URI setup.
Move to registered OAuth
Quickstart covers app registration, PKCE, token exchange, refresh tokens, and session creation.
Understand the tokens
OAuth authorization code flow explains
id_token, access_token, access_token_jwt, and refresh token rotation.Pick your client model
Browser and mobile apps use PKCE. Server apps can use confidential clients.
Add advanced features when ready
Add Connector delegation, Signing, end-to-end encryption, or Convex auth when your app needs them.