Concepts
Challenge and deep links.
VibeID signs one exact challenge string, and the browser launches that request with a compact deep link.
Challenge payload
Store the original string and verify the returned signature over that exact value.
signin.v1.<requestId>.<nonce>.<issuedAt36>.<expiresAt36>.<originBase64Url>| Field | Rule |
|---|---|
| requestId | Unique server-generated id for this sign-in attempt. |
| nonce | Base64url string with at least 96 bits of random entropy. |
| issuedAt36 | Unix timestamp in milliseconds, encoded in base36. |
| expiresAt36 | Unix timestamp in milliseconds, encoded in base36 and greater than issuedAt36. |
| originBase64Url | Base64url UTF-8 origin, normalized to scheme + host + optional port. |
Deep link contract
Short aliases keep QR codes smaller; long names are accepted too.
| Name | Alias | Required | Meaning |
|---|---|---|---|
| payload | p | yes | The exact payload to sign. For sign-in, this is the signin.v1 challenge. |
| callback | c | yes | The HTTP(S) endpoint where VibeID posts the signed result. |
| kind | k | recommended | Use signin for browser sign-in UX. |
| requestId | r | optional | Explicit request id. If omitted, VibeID extracts it from signin.v1. |
| didHint | d | optional | Preferred local DID. The user can still choose another local identity. |
| v | - | optional | Protocol version. Defaults to 1. |