Give your app single sign-on, verified identity, and per-app user data with the exONE SDK. One account, every ExtremeX app.
Apps are registered by the platform team (contact [email protected]). You receive a client_id and a client_secret; your redirect URIs and allowed scopes are locked to the registration.
<script src="https://api.extremextechnology.com/one/sdk/exone.js"></script>
<script>
exONE.init({
clientId: "exone_xxxxxxxxxxxx",
redirectUri: "https://yourapp.extremextechnology.com/callback",
});
// Anywhere in your app:
exONE.auth.login({ scope: "profile email attributes offline" });
</script>Scopes: profile (name, username, avatar) · email · attributes (your app's own namespaced user data) · offline (refresh token). The SDK sends users to the consent screen at https://one.extremextechnology.com/oauth/authorize; all machine endpoints live on https://api.extremextechnology.com/one.
Your callback receives ?code=…. Exchange it on your backend — the client secret never ships to a browser.
POST https://api.extremextechnology.com/one/oauth/token
Content-Type: application/json
{
"grant_type": "authorization_code",
"code": "…",
"client_id": "exone_xxxxxxxxxxxx",
"client_secret": "…",
"redirect_uri": "https://yourapp.extremextechnology.com/callback"
}
→ { "access_token": "…", "refresh_token": "…", "expires_in": 3600 }// Identity (respects the user's consent, checked live)
GET https://api.extremextechnology.com/one/oauth/userinfo
Authorization: Bearer <access_token>
→ { "sub": "…", "name": "…", "username": "…", "email": "…" }
// Your app's namespaced user data (scope: attributes)
exONE.auth.setTokens({ access_token, refresh_token });
await exONE.data.write({ high_score: 9001, theme: "dark" });
const all = await exONE.data.list(); // { high_score: 9001, theme: "dark" }
const one = await exONE.data.read("high_score");
await exONE.data.remove("theme");Data is namespaced to your app_id automatically — no application can read or write another application's keys.
POST https://api.extremextechnology.com/one/oauth/token
{ "grant_type": "refresh_token", "refresh_token": "…",
"client_id": "…", "client_secret": "…" }Refresh tokens rotate on every use. When a user disconnects your app from their ONE portal, consents and refresh tokens die immediately, and userinfo starts returning 403 access_revoked even for live access tokens.