Authentication & SSO

The entire xAI ecosystem uses one central identity service — xAI Identity. Sign in once, valid across every product.

The SSO model

On sign-in, xAI Identity sets the xv_session cookie with Domain=.xai.io.vn (HttpOnly). Because the cookie is domain-scoped, the browser sends it automatically to every subdomain — identity, governance, blockchain, and your app.

Option 1 — Introspection (recommended)

Call GET /api/session with the cookie. The endpoint supports CORS for any *.xai.io.vn, so it works directly from the browser.

curl 'https://identity.xai.io.vn/api/session' \
  -H 'Cookie: xv_session=<token>' \
  -H 'Origin: https://your-app.xai.io.vn'

Response:

{
  "authenticated": true,
  "realmId": "xvalley",
  "user": {
    "id": "usr_8f2c…",
    "email": "dev@partner.vn",
    "name": "Nguyễn An",
    "avatar_color": "#4f46e5"
  },
  "memberships": [
    { "org_id": "org_12ab", "org_name": "Đối tác ABC", "role": "admin" }
  ]
}

Option 2 — Redirect to sign-in

If the user is not signed in, redirect them to the central sign-in page with a return parameter:

https://identity.xai.io.vn/login
  ?client_id=<your-app>
  &realm=xvalley
  &redirect=<url-quay-lai-sau-khi-dang-nhap>

Option 3 — Shared D1 binding (advanced)

Products on Cloudflare can bind the shared xvalley_iam identity database and validate tokens locally — skipping a network round-trip. Use this when your product is part of the xAI ecosystem.

Authorization (RBAC)

Permissions are assigned per organization via memberships, with four roles:

Role	Description
`admin`	Full control within the org
`officer`	Business officer (e.g. governance)
`steward`	Data steward
`viewer`	Read-only

Security

Never put secret keys or private keys on the client. Sensitive operations (on-chain signing, credential issuance) run server-side with keys stored in Cloudflare secrets.

See the Identity API reference →