GET
/api/auth/sso/authorize
SSO authorization endpoint for RegardingWork mini-apps
CRITICAL: Use This Endpoint for SSO
DO NOT use /login for SSO integration!
Always use /api/auth/sso/authorize for RegardingWork mini-app SSO flows.
Using the wrong endpoint causes redirect loops and authentication failures.
URL:
https://hub.regardingwork.com/api/auth/sso/authorize
Method:
GETAuthentication:
Session-based (cookies)Use Case:
Mini-app SSO onlyQuery Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
redirect_uri |
string | Your mini-app callback URL (must be in allowlist) | |
state |
string | Optional state parameter for CSRF protection |
Complete SSO Flow
Step 1: Mini-app redirects user to Hub
// Redirect user to Hub for authentication
const ssoUrl = 'https://hub.regardingwork.com/api/auth/sso/authorize' +
'?redirect_uri=' + encodeURIComponent('https://game.regardingwork.com/auth/callback') +
'&state=' + encodeURIComponent('random-state-string');
window.location.href = ssoUrl;Step 2: Hub authenticates user
- If user is logged in → generates JWT token and redirects back
- If user not logged in → shows login form, then redirects back
Step 3: Hub redirects back with token
https://game.regardingwork.com/auth/callback?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...&state=random-state-stringStep 4: Mini-app validates token
// Extract token from URL
const urlParams = new URLSearchParams(window.location.search);
const token = urlParams.get('token');
// Validate token with Hub
const response = await fetch('https://hub.regardingwork.com/api/auth/validate', {
headers: {
'Authorization': `Bearer ${token}`
}
});
const result = await response.json();
if (result.valid) {
// User is authenticated
console.log('User:', result.user);
}Common Integration Errors
| Error | Cause | Solution |
|---|---|---|
| Domain not allowed | redirect_uri not in SSO allowlist | Add domain to allowlist in Hub admin panel |
| Redirect loops | Using /login instead of SSO endpoint |
Use /api/auth/sso/authorize endpoint |
| Invalid token | Token extraction or validation error | Check URL parsing and validation endpoint |
| Invalid user data | Using response.username instead of response.user.username |
Access user data via response.user object |
Approved Mini-app Domains
The following domains are pre-approved for SSO integration:
game.regardingwork.compremium.regardingwork.comdisplay.regardingwork.com
alivefor.comlocalhost:3000(development)localhost:8080(development)
Need to add a domain? Contact the Hub administrator to add your mini-app domain to the SSO allowlist.
Security & Best Practices
CSRF Protection
- Always use the
stateparameter - Verify state matches on callback
- Use cryptographically random state values
Token Security
- Validate tokens immediately upon receipt
- Store tokens securely (localStorage/sessionStorage)
- Handle token expiration gracefully