ExtremeX ONEMy Account

Integrate ExtremeX ONE

Give your app single sign-on, verified identity, and per-app user data with the exONE SDK. One account, every ExtremeX app.

1 · Register your application

Apps are registered by the platform team (contact [email protected]). You receive a client_id and a client_secret; your redirect URIs and allowed scopes are locked to the registration.

2 · Send users to the consent screen

<script src="https://api.extremextechnology.com/one/sdk/exone.js"></script>
<script>
  exONE.init({
    clientId: "exone_xxxxxxxxxxxx",
    redirectUri: "https://yourapp.extremextechnology.com/callback",
  });

  // Anywhere in your app:
  exONE.auth.login({ scope: "profile email attributes offline" });
</script>

Scopes: profile (name, username, avatar) · email · attributes (your app's own namespaced user data) · offline (refresh token). The SDK sends users to the consent screen at https://one.extremextechnology.com/oauth/authorize; all machine endpoints live on https://api.extremextechnology.com/one.

3 · Exchange the code (server-side)

Your callback receives ?code=…. Exchange it on your backend — the client secret never ships to a browser.

POST https://api.extremextechnology.com/one/oauth/token
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "code": "…",
  "client_id": "exone_xxxxxxxxxxxx",
  "client_secret": "…",
  "redirect_uri": "https://yourapp.extremextechnology.com/callback"
}

→ { "access_token": "…", "refresh_token": "…", "expires_in": 3600 }

4 · Use the APIs

// Identity (respects the user's consent, checked live)
GET https://api.extremextechnology.com/one/oauth/userinfo
Authorization: Bearer <access_token>
→ { "sub": "…", "name": "…", "username": "…", "email": "…" }

// Your app's namespaced user data (scope: attributes)
exONE.auth.setTokens({ access_token, refresh_token });
await exONE.data.write({ high_score: 9001, theme: "dark" });
const all = await exONE.data.list();     // { high_score: 9001, theme: "dark" }
const one = await exONE.data.read("high_score");
await exONE.data.remove("theme");

Data is namespaced to your app_id automatically — no application can read or write another application's keys.

5 · Refresh & revocation

POST https://api.extremextechnology.com/one/oauth/token
{ "grant_type": "refresh_token", "refresh_token": "…",
  "client_id": "…", "client_secret": "…" }

Refresh tokens rotate on every use. When a user disconnects your app from their ONE portal, consents and refresh tokens die immediately, and userinfo starts returning 403 access_revoked even for live access tokens.