> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thanx.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO) Overview

> This section describes the process of authenticating with Thanx via Thanx SSO.

Thanx SSO authenticates the user via a password-less flow using email
authentication, rather than a password. This reduces the friction of a user
having to manage yet another password as well as reduces the friction of
transitioning an existing user-base to Thanx.

Thanx follows the standard OAuth 2.0 spec, using the Authorization Code grant
type. Refer to the
[OAuth 2.0 Authorization Framework RFC: Section 4.1](https://www.rfc-editor.org/rfc/rfc6749#section-4.1)
for additional details.

## Authentication Flows

Thanx supports two OAuth authentication flows:

### Standard Passwordless Flow

Here is what the standard flow would look like:

1. User navigates to the partner website and clicks an authentication button.
2. The partner website prompts the user to input an email address
3. The partner website makes a request to the `POST /oauth/authorize` endpoint
   described below. (Continue to #4 or #5)
4. If no account exists for the specified email address, a 401 error is thrown.
   A user can be created via the `POST /users` endpoint.
5. If an account exists for the specified email address, an auth email is sent
   to specified email. The user clicks the auth email link which redirects to
   the partner website at the specified `redirect_uri` with an authorization
   code in the params.
6. Partner website exchanges the authorization code for an access token via the
   `POST /oauth/token` endpoint described below. User is now authenticated with
   the Thanx system through the returned access token.

<Note>
  SSO authenticates a user and issues a token — it does **not** enroll them with
  the merchant. A user who signs in via SSO but has no membership will get empty
  tier/reward responses until enrolled via [`POST /users`](/consumer/users/create-user).
</Note>

### Cross-Domain Flow

For users who are already authenticated on one domain and need to be transferred to another domain (e.g., rewards.thanx.com → order.thanx.com), Thanx provides a seamless cross-domain authentication flow:

1. User is already authenticated on the source domain with a valid access token.
2. Source application makes a request to the `POST /oauth/authorize-cross-domain` endpoint with the user's access token.
3. The endpoint immediately returns an authorization code (no email is sent).
4. Source application redirects the user to the target domain with the authorization code: `target-domain.com/path?code=...`
5. Target domain exchanges the authorization code for an access token via the `POST /oauth/token` endpoint. User is now authenticated on the target domain.

This flow enables seamless cross-domain single sign-on without requiring users to check their email or re-authenticate.
