Thanx SSO authenticates the user via a password-less flow using email authentication, rather than a password. This reduces the friction of a user having to manage yet another password as well as reduces the friction of transitioning an existing user-base to Thanx. Thanx follows the standard OAuth 2.0 spec, using the Authorization Code grant type. Refer to the OAuth 2.0 Authorization Framework RFC: Section 4.1 for additional details.

Authentication Flows

Thanx supports two OAuth authentication flows:

Standard Passwordless Flow

Here is what the standard flow would look like:
  1. User navigates to the partner website and clicks an authentication button.
  2. The partner website prompts the user to input an email address
  3. The partner website makes a request to the POST /oauth/authorize endpoint described below. (Continue to #4 or #5)
  4. If no account exists for the specified email address, a 401 error is thrown. A user can be created via the POST /users endpoint.
  5. If an account exists for the specified email address, an auth email is sent to specified email. The user clicks the auth email link which redirects to the partner website at the specified redirect_uri with an authorization code in the params.
  6. Partner website exchanges the authorization code for an access token via the POST /oauth/token endpoint described below. User is now authenticated with the Thanx system through the returned access token.

Cross-Domain Flow

For users who are already authenticated on one domain and need to be transferred to another domain (e.g., rewards.thanx.com → order.thanx.com), Thanx provides a seamless cross-domain authentication flow:
  1. User is already authenticated on the source domain with a valid access token.
  2. Source application makes a request to the POST /oauth/authorize-cross-domain endpoint with the user’s access token.
  3. The endpoint immediately returns an authorization code (no email is sent).
  4. Source application redirects the user to the target domain with the authorization code: target-domain.com/path?code=...
  5. Target domain exchanges the authorization code for an access token via the POST /oauth/token endpoint. User is now authenticated on the target domain.
This flow enables seamless cross-domain single sign-on without requiring users to check their email or re-authenticate.