Integrator overview (Intastellar Accounts)
For developers wiring web sign-in — React, static sites, SPAs, or server-backed apps.
What you are integrating
Intastellar Accounts issues tokens and sessions after the user authenticates. On the web you typically:
- Register an app and choose public (browser, PKCE) vs confidential (server holds a secret).
- Send the user through authorization (redirect or popup) with a valid redirect URI and state.
- Exchange the authorization code (browser with PKCE, or server with a client secret for confidential clients).
- Store session or tokens according to your threat model — see Sessions, cookies, and tokens.
Choose your path
| Situation | Start here |
|---|---|
| React | Intastellar Sign-In — React and JavaScript |
| Plain HTML / JS (no React) | Plain HTML, CSS, and JavaScript |
| Custom OAuth / mobile / backend | Getting started, then Authorization code flow |
| SPAs, no secret in the browser | SPAs and JavaScript clients |
| Code exchange on your server | Server-side (confidential) clients |
Mental model
- Never put a client secret in front-end code; use PKCE for public clients.
- Redirect URIs must match exactly what is registered — treat them like production config, not string literals scattered in repos.
- Logout and error handling are part of the product surface — see Logout, errors, and troubleshooting.
Testing (integrator)
- Incognito + normal window; hard refresh after changing redirect lists.
- Network tab: authorization request, callback, token exchange (if visible), no unexpected 4xx on your origin.
- Cross-browser spot check (Chrome, Safari, Firefox) if you rely on cookies or storage.
Releases and support
- SDK / package updates: Changelog and npm release notes for
@intastellar/signin-sdk-react. - Product bugs: Contact & support — GitHub issue for Accounts when that option is available.
- Docs wrong or missing: same contact flow for the help repo when offered.
Terminology: Glossary (sign-in). Systematic fixes: Debugging sign-in.
Last updated