Overview
Use the signed bridge to embed login/register without CORS.
Prerequisites
- Access to your site codebase and hosting
Permissions required
Downloads & Templates
Steps (4)
-
1
Create a connection
Settings → Integrations → Connections → New. Copy client_id and client_secret.
Tips
—
Validation
- Public URL for bridge endpoints is shown.
Success criteria
—
-
2
Install bridge files
Drop **ag.php** and **ag.js** on your site. Set AG_ID/AG_SECRET and AccessGuard base URL.
Tips
- Restrict bridge path by IP/rate-limit on your edge.
Validation
—
Success criteria
—
-
3
Embed login component
Use <accessguard-login> or call ag.login() to open the hosted flow.
Tips
—
Validation
—
Success criteria
- JWT issued and session cookie stored on your domain.
-
4
Verify signature & replay window
Confirm X-Ag-Id/Ts/Sig headers validate and 60-second window is enforced.
Tips
—
Validation
—
Success criteria
—
About this guide
AccessGuard secures apps and external sites with hosted authentication and short-lived JWTs. Enable MFA, define RBAC permissions, and connect enterprise identity via SAML or OIDC. A lightweight HMAC bridge lets you embed login, registration, and token refresh flows on any domain without CORS pain.
Admins manage users, sessions, connections, and policies from one console. Profiles consolidate verified emails/phones, consents, KYC docs, and risk flags. Events and metrics provide visibility for security and ops.
Designed for velocity and safety: opinionated defaults, least-privilege keys, Prometheus counters, and exportable audit logs.