Developers · Auth · Onboarding

Onboarding checklist

Step-by-step bring-up for a new app on Tanvrit auth. Allow ~30 minutes the first time, ~5 minutes thereafter.

  1. Pick your auth mode

    Read the three modes. Most teams start with Mode A (no setup) and graduate to Mode B or C when they care about consent-screen branding or third-party SSO.

  2. Register your app

    Open the developer portal and create a row in PlatformProfile:

    • appId — reverse-DNS string (e.g. com.example.demo). Used as the X-App-ID header on every request and as the OIDC client_id for Mode C.
    • label — human-readable display name.
    • oauthMode"shared" (Mode A) or "byo" (Mode B). Mode C is configured separately as an OIDC client.
    • branding — logo, primary color, terms / privacy URLs (used by hosted login and consent screens).

  3. (Mode B only) Register OAuth apps with each provider

    Go to Google Cloud Console / Apple Developer / Meta / GitHub and register an OAuth app. For each provider:

    • Set the redirect URI to a URL on your domain.
    • Copy the client_id and client_secret back to the developer portal under Provider credentials.

    Tanvrit encrypts the secrets at rest with AES-256-GCM; they're never echoed back via any API.

  4. (Mode C only) Register your relying party

    In the developer portal under OIDC clients, create a row with:

    • client_id — your relying party identifier.
    • client_secret — only for confidential clients.
    • redirect_uris — every URL you'll redirect users back to (exact-match allowlist enforced).

  5. Wire the SDK in your app

    Add the Tanvrit auth SDK to your Gradle build:

    // Gradle
implementation("com.tanvrit:auth:2.0.4")
implementation("com.tanvrit:auth-ui:2.0.4")  // optional, for TanvritAuthScreen

    Initialize the SDK at app start with your appId:

    TanvritSDK.init {
    appId = "com.example.demo"
    apiKey = BuildConfig.TANVRIT_API_KEY  // from the developer portal
    brandSeedColor = 0xFF6F4D2AUL          // your brand color
}

  6. Implement the auth flow

    • Mode A / B: drop in TanvritAuthScreen from auth-ui; it handles all 10 providers.
    • Mode C: use the SignInWithTanvrit helper or any standard OIDC library.

  7. Verify end-to-end

    • Sign in. Confirm the consent screen brand matches what you expect for your mode.
    • Confirm the resulting JWT contains appId matching your registered appId.
    • Hit a protected API (e.g. GET /api/v1/auth/me) and confirm the response is for the right user.

  8. Monitor

    Every auth event lands in auth_audit_log (90-day TTL). Surface a "recent auth events" view in your admin dashboard or check from the developer portal.

Need help? Email developers@tanvrit.com or open an issue at github.com/Tanvrit/server.