A real identity layer. Not a login widget.
Most identity products ship a JavaScript SDK and ask you to live inside it. Synq is different. It is a full OpenID Connect issuer, which means anything that speaks OAuth or OIDC works with it: websites, mobile apps, backend services, command-line tools, and AI agents.
Your engineers use the standard library for their stack. Tokens are validated locally against published JWKS keys. There is no proprietary SDK to upgrade, no vendor-specific wrapper to learn, no lock-in.
Every grant type your app types actually need.
A complete OIDC issuer surface, with the grant types and primitives consumer apps and AI-era backends actually use, not a subset.
Web, SPA, and native apps
authorization_code + PKCE for every public-client app type, with the redirect-back flow your engineers already know how to wire up.
Refresh-token rotation
Rotation with reuse detection on every refresh, so a leaked token is automatically invalidated the next time it is used. Built-in, never bolt-on.
Backend service auth
client_credentials grant for machine-to-machine flows, with per-app scope catalogs and audience-bound tokens that your services validate locally.
CLIs and AI agents
RFC 8628 device authorization flow for tools and agents that cannot host a redirect URI. The user authorizes on a phone or browser, the agent gets a token.
Token revocation
RFC 7009 token revocation endpoint. Revoke from your dashboard, from the user-facing settings page, or from your own revocation logic.
JWKS and discovery
Standard /.well-known/openid-configuration and /jwks endpoints. Your services validate tokens locally with cached keys, no callbacks to Synq on the hot path.
Your stack already knows how to talk to Synq.
If your stack uses Passport, Auth.js / NextAuth, Spring Security, passport-openidconnect, openid-client, or the OIDC primitives in Go, Python, Rust, or Elixir, it works with Synq with zero custom code. Add the issuer URL, paste the client ID and secret, ship.
When Synq evolves, the standard does not. Your code keeps working. Same in the other direction: if you outgrow Synq five years from now, the OIDC integration you wrote keeps working against any other compliant issuer.
- authorization_code + PKCE (web, SPA, native, mobile)
- refresh_token with rotation and reuse detection
- client_credentials for backend service-to-service auth
- RFC 8628 device authorization flow (CLI, agent)
- RFC 7009 token revocation
- Standard /.well-known/openid-configuration and JWKS
Standards-grade auth, no proprietary lock-in.
If your stack speaks OIDC, you can be live this afternoon.