OAuth 2.0 + OpenID Connect

Sign in to continue

Authenticate with the authorization code flow and PKCE. Tokens are exchanged server-side and stored in the PHP session.

Continue with Tuurio ID Redirects to marcus33.id.tuurio.com

PKCE by default

Proof Key for Code Exchange prevents authorization code interception attacks.

Short-lived tokens

Access tokens expire quickly, scoped to openid profile email.

Session aware

Token state lives server-side. Nothing sensitive reaches the browser.