UniAuth.ID
Integration Checklist
Getting StartedQuick StartOIDC Feature MatrixIntegration ChecklistAccount SetupConfigurationAuthenticationMulti-Factor AuthBackup CodesPassword PolicyRoles & PermissionsSessionsOAuth2 / OIDCDevice FlowLogout & PropagationTokensIntegrationsWebhooksSCIM ProvisioningSDKsReactNext.jsPHPLaravelDjangoRailsSpring BootExpressMigratingFrom Auth0API ReferenceError ReferenceRate LimitsSecurityRecovery PhraseOperationsDeploymentChangelog

Integration Checklist

36 items to verify before going to production. This is what a proper UniAuth integration looks like — not just “got the access_token”. If you're using our SDK, most of these are handled automatically.

Tip: Print this page and tick items off. Every serious OIDC integration should satisfy each box. The difference between “it works” and “it's secure” is on this list.

Discovery & Setup

Use /.well-known/openid-configuration (don't hardcode endpoints)docs →
Cache the discovery document (refresh every 24h)
Register your client in the Developer Consoledocs →
Add an HTTPS redirect_uri (exact match — no wildcards)

Authorization Flow

Use authorization code flow (no implicit)docs →
Include PKCE (code_challenge_method=S256) — required for all clientsdocs →
Generate cryptographically random state (CSRF defense)
Generate a nonce and include it in the ID token check
Validate state matches on callback

ID Token Verification

Fetch JWKS from jwks_uri and cache (refresh every 24h or on kid miss)docs →
Verify RS256 signature using JWKS
Verify iss == 'https://uniauth.id'
Verify aud contains your client_id
Verify exp > now
Verify nonce matches the one you sent
Check auth_time if you set max_age

Authorization

Check email_verified before granting trust
Use the groups claim for RBAC (not env-var allowlists)docs →
Check trust_tier for risk-based access control
Use acr claim to enforce step-up (e.g. require MFA for sensitive ops)

Token Lifecycle

Store tokens securely (HttpOnly cookie or secure storage)
Refresh access token before expiry (use expires_in)docs →
Rotate refresh tokens (new one returned each refresh)
Handle refresh token reuse errors (family revoked — force re-login)

Logout

Use end_session_endpoint for user-initiated logout (not just clear cookie)docs →
Register backchannel_logout_uri for global logout propagationdocs →
Verify logout_token signature + iss + aud + events claimdocs →

Security

Validate redirect_uri on every callback (exact match)
Use Content-Security-Policy with frame-ancestors 'none' on OAuth pages
Rate limit your callback endpoint
Don't log access/refresh/id tokens
Rotate client_secret periodically via Developer Console

Observability

Log the authentication method (amr) for audit trails
Log the authentication context class (acr)
Monitor /userinfo 401s — may indicate revoked sessions
Alert on back-channel logout 4xx responses

Still Missing Something?

If you're unsure whether your integration covers all these boxes, check the Error Reference, or join us on support.