# Ave

> Passkey identity, OAuth/OIDC, delegation, signing, and encrypted app-key delivery.

## Docs

- [OAuth + OIDC endpoints](https://docs.aveid.net/api/oauth-endpoints.md): Detailed endpoint contract for app metadata, authorize, token grants, userinfo, discovery, and delegation management.
- [API overview](https://docs.aveid.net/api/overview.md): Endpoint families, authentication requirements, and request conventions for the Ave OAuth/OIDC and Signing APIs.
- [Signing endpoints](https://docs.aveid.net/api/signing-endpoints.md): Full reference for the Ave signing API. Covers request creation, status polling, public key lookup, signature verification, and session-authenticated key management.
- [Ave for Businesses](https://docs.aveid.net/guides/ave-for-businesses.md): Use Ave organizations as identity containers with roles, org context claims, audit trails, and explicit key boundaries.
- [Ave Session](https://docs.aveid.net/guides/ave-session-and-tokens.md): Persist OAuth tokens, refresh safely, and keep framework auth clients supplied with fresh ID tokens.
- [Ave Signing](https://docs.aveid.net/guides/ave-signing.md): Request identity-backed Ed25519 signatures from users. Covers the full lifecycle: create request, present UI, poll status, verify signature.
- [Better Auth integration](https://docs.aveid.net/guides/better-auth-ave.md): Use Better Auth's generic OAuth plugin with Ave's OIDC discovery, then validate refresh behavior in your app.
- [Business workspaces](https://docs.aveid.net/guides/business-workspaces.md): Use Ave organizations as app workspaces while Ave manages membership, roles, SSO, and business identity context.
- [Connector delegation](https://docs.aveid.net/guides/connector-app-to-app.md): Add delegated app-to-app access with consent, token exchange, delegated JWTs, and target-resource validation.
- [Convex custom auth](https://docs.aveid.net/guides/convex-custom-auth.md): Use Ave as a Convex custom OIDC auth provider. Covers which token to use, why, exact JWT claims, auth.config.ts setup, and full implementation.
- [E2EE integration checklist](https://docs.aveid.net/guides/e2ee-integration-checklist.md): Registered app, app_key fragment handling, and identity isolation — use with Ave Session for apps that encrypt data.
- [End-to-end encryption](https://docs.aveid.net/guides/end-to-end-encryption.md): Implement Ave app-key handoff safely, avoid URL-fragment decoding pitfalls, and isolate identity data correctly.
- [Expo with AuthSession](https://docs.aveid.net/guides/expo-auth-session.md): Use Ave in an Expo app with expo-auth-session and expo-web-browser. Covers deep links, PKCE, code exchange, token refresh, and the Convex handoff.
- [FedCM browser sign-in](https://docs.aveid.net/guides/fedcm-browser-sign-in.md): Use Ave with the browser's FedCM account chooser for a faster sign-in path, with fallback to the standard redirect flow.
- [Next.js App Router + Ave Session](https://docs.aveid.net/guides/nextjs-ave-session.md): Use AveSessionProvider, useAveSession, and AveConvexBridge with the App Router and client components.
- [OAuth authorization code flow](https://docs.aveid.net/guides/oauth-authorization-code-flow.md): End-to-end OAuth 2.0 + OIDC flow with full token payload reference, validation steps, and refresh token rotation.
- [PKCE for public clients](https://docs.aveid.net/guides/pkce-for-public-clients.md): Production-grade PKCE implementation for SPAs and mobile apps. Covers the security model, browser storage, common failures, and mobile-specific concerns.
- [Quick Ave](https://docs.aveid.net/guides/quick-ave.md): Add Ave authentication to any site in minutes — no app registration, no client secret, no redirect-URI configuration. Uses PKCE under the hood and is fully upgradeable to the standard OIDC flow.
- [Upgrading from Quick Ave to standard OIDC](https://docs.aveid.net/guides/quick-ave-to-standard.md): Swap Quick Ave for a registered app and unlock refresh tokens, app branding, Connector delegation, E2EE, and confidential clients — with minimal code changes.
- [Scopes and claims](https://docs.aveid.net/guides/scopes-and-claims.md): Every available scope, what JWT claims it adds to id_token and access_token_jwt, and how to design your permission model.
- [Server-side confidential clients](https://docs.aveid.net/guides/server-side-confidential-clients.md): Implement authorization code exchange and token refresh on a trusted server using a client secret.
- [Postgres, SQLite, and JWT auth](https://docs.aveid.net/guides/sql-postgres-jwt-auth.md): Verify Ave id_tokens on your API and upsert users with Drizzle — same identity model as Convex.
- [Ave](https://docs.aveid.net/index.md): Passkey identity, OAuth/OIDC, delegation, signing, and encrypted app-key delivery for modern apps.
- [Quickstart](https://docs.aveid.net/quickstart.md): Register an Ave app, run the OAuth authorization code flow with PKCE, exchange the code, and create your app session.
- [Base URLs, tokens, and concepts](https://docs.aveid.net/reference/base-urls-and-concepts.md): The key concepts you need before integrating: domain split, identity model, token types, and scopes.
- [How Ave works](https://docs.aveid.net/reference/how-it-works.md): A plain-English walkthrough of Ave's architecture: passkey identity, OAuth/OIDC token flow, Connector delegation, Signing, and E2EE.
- [@ave-id/embed](https://docs.aveid.net/sdk/embed-sdk.md): UI integration helpers for Ave auth, Connector, and Signing flows, including iframe, sheet, and popup patterns.
- [@ave-id/sdk](https://docs.aveid.net/sdk/javascript-sdk.md): Typed helpers for Quick Ave, OAuth, Connector delegation, Signing, and framework session integrations.
- [@ave-id/sdk Connector](https://docs.aveid.net/sdk/sdk-connector.md): SDK functions for the Connector (app-to-app delegation) flow: building the consent URL, exchanging delegated tokens, and managing grants.
- [@ave-id/sdk Identity keys](https://docs.aveid.net/sdk/sdk-identity-keys.md): Pass encrypted invites on the Ave authorize URL and receive plaintext after redirect or embed completion.
- [@ave-id/sdk OAuth](https://docs.aveid.net/sdk/sdk-oauth.md): Standard OAuth / PKCE functions for registered Ave apps. Covers PKCE helpers, buildAuthorizeUrl, exchangeCode, refreshToken, fetchUserInfo, and client/server helpers.
- [@ave-id/sdk Signing](https://docs.aveid.net/sdk/sdk-signing.md): SDK functions for the Ave Signing flow: creating requests, polling status, verifying signatures, and presenting the signing UI.
- [Security best practices](https://docs.aveid.net/security/best-practices.md): Hardening checklist for OAuth, OIDC token validation, Connector delegation, and signing workflows.
- [Encryption model and key lifecycle](https://docs.aveid.net/security/encryption-model-and-key-lifecycle.md): How Ave delivers per-app, per-identity encryption keys — and how to handle them safely.
- [Common mistakes and edge cases](https://docs.aveid.net/troubleshooting/common-mistakes-and-edge-cases.md): Frequent integration bugs, protocol mismatches, and how to fix them.

## OpenAPI Specs

- [openapi](https://docs.aveid.net/api-reference/openapi.json)