Overview | SeloraX Developer Docs

SeloraX acts as an OAuth 2.0 Identity Provider, letting external websites authenticate SeloraX users — both merchants and customers. This works like "Sign in with Google" or "Sign in with Apple": your website redirects users to SeloraX, they log in and grant consent, and you receive verified profile data back.

:::info This is separate from the App OAuth system The App OAuth flow lets SeloraX apps access store data (orders, products, etc.). This Identity Provider lets external websites authenticate SeloraX users and read their profile. :::

How It Works

┌──────────────┐     1. Redirect to /api/oauth/authorize     ┌──────────────┐
│              │ ──────────────────────────────────────────▶  │              │
│  Your        │     2. User logs in & grants consent         │   SeloraX    │
│  Website     │  ◀──────────────────────────────────────────  │   Platform   │
│              │     (redirect back with auth code)           │              │
│              │     3. POST /api/oauth/token                 │              │
│              │ ──────────────────────────────────────────▶  │              │
│              │     4. Access token + refresh token           │              │
│              │  ◀──────────────────────────────────────────  │              │
│              │     5. GET /api/oauth/userinfo                │              │
│              │ ──────────────────────────────────────────▶  │              │
│              │     6. User profile (name, email, etc.)      │              │
│              │  ◀──────────────────────────────────────────  │              │
└──────────────┘                                              └──────────────┘

Your website redirects the user to the SeloraX authorization endpoint
The user logs in (if not already) and approves the consent screen
SeloraX redirects back to your site with an authorization code
Your server exchanges the code for access + refresh tokens
Your server calls the UserInfo endpoint with the access token
You receive the user's profile data filtered by the scopes you requested

User Types

Both types of SeloraX users can authenticate:

User Type	Description	Subject Format
Customer	End-users who shop on SeloraX stores	`customer:42`
Merchant	Store owners/admins who manage stores	`merchant:7`

The user type is automatically detected from the logged-in session — you don't need to specify it.

Scopes

Scopes control what profile data your application can access:

Scope	Claims Returned	Description
`openid`	`sub`	User identifier (e.g. `customer:42`)
`profile`	`name`, `picture`	Display name and avatar URL
`email`	`email`, `email_verified`	Email address and verification status
`phone`	`phone_number`, `phone_number_verified`	Phone number and verification status
`store`	`store_id`, `store_name`, `role`	Store context and user's role

Always request openid as the base scope. Add others based on what your application needs.

Token Reference

Type	Prefix	TTL	Storage
Client ID	`sx_oc_`	N/A	Plaintext
Client Secret	`sx_os_`	N/A	bcrypt hash
Auth Code	`sx_ic_`	60 seconds	SHA256 hash
Access Token	`sx_it_`	1 hour	SHA256 hash (prefix-indexed)
Refresh Token	`sx_ir_`	30 days	SHA256 hash

:::warning Access tokens are short-lived (1 hour). Use refresh tokens to obtain new access tokens without re-prompting the user. :::

Quick Start

Register an OAuth client to get your client_id and client_secret
Redirect users to the authorization endpoint with your requested scopes
Exchange the auth code for tokens on your server
Fetch user profile data with the access token
Optionally implement PKCE for single-page applications

Base URLs

Environment	Base URL
Production	`https://api.selorax.io`
Development	`https://api-dev.selorax.io`

OIDC Discovery

The OpenID Connect discovery document is available at:

GET /api/oauth/.well-known/openid-configuration

See OIDC Discovery for the full document.