Skip to content
Prysm:ID Docs

Quickstart

This guide takes you from no account to a user signed into your app in five minutes. After that you fork into three paths: integrate it seriously into your SaaS, hand it to an agent, or keep admin-ing from the dashboard.

The walkthrough

Section titled “The walkthrough”

  1. Sign up at app.prysmid.com.

    Head to app.prysmid.com and sign in with Google or GitHub. No card asked — the Free plan never expires and covers 10k MAU.

  2. Create your first workspace.

    After your first login we ask for a slug (e.g. acme). That slug becomes auth.acme.prysmid.com — the domain where your users will sign in. Provisioning takes 60-90 seconds: we spin up a dedicated instance for your workspace, configure OIDC, default branding and SMTP.

  3. Register your first OAuth app.

    In your workspace dashboard, go to Apps → New app. It asks for:

    • Name: My SaaS dev
    • Redirect URIs: http://localhost:3000/auth/callback (for local dev) — you can add more later
    • Type: Web (server-side) or SPA (browser)

    You get a client_id (public) and a client_secret (shown once — copy it).

  4. Wire your local app.

    Your app talks to Prysm:ID over standard OIDC. Endpoints:

    Issuer:        https://auth.acme.prysmid.com
    Authorization: https://auth.acme.prysmid.com/oauth/v2/authorize
    Token:         https://auth.acme.prysmid.com/oauth/v2/token
    UserInfo:      https://auth.acme.prysmid.com/oidc/v1/userinfo
    JWKS:          https://auth.acme.prysmid.com/oauth/v2/keys

    Any decent OIDC library works. Examples:

    import { Issuer } from 'openid-client';
    

    const issuer = await Issuer.discover('https://auth.acme.prysmid.com');
    const client = new issuer.Client({
      client_id: process.env.PRYSMID_CLIENT_ID,
      client_secret: process.env.PRYSMID_CLIENT_SECRET,
      redirect_uris: ['http://localhost:3000/auth/callback'],
      response_types: ['code'],
    });

  5. Try the login.

    Run your local app and hit your login flow. Your app redirects to auth.acme.prysmid.com, the user enters email + password (or signs up), and comes back to your callback with an authorization_code. Exchange it for a JWT id_token carrying sub, email, name.

    That sub is the stable user identifier in your workspace. Store it alongside your user record.

What’s next

Section titled “What’s next”

Three directions depending on what you want to deepen:

Model your multi-tenant SaaS Each of your customers, their own Prysm:ID workspace. How to model it.
Validate JWTs in your backend Verify signature, audience, expiration. JWKS rotation.
Connect Google / GitHub / Microsoft So your users can use their corporate IdPs.
Drive all this with an agent MCP server: have Claude register apps for you.

Troubleshooting

Section titled “Troubleshooting”

The workspace stays in provisioning for more than 5 minutes. Something failed during provision. Go to Settings → Status on the workspace to see where it stalled. If you stay blocked, write us — the state is recoverable without losing the slug.

My app says redirect_uri_mismatch. The exact URI you send in authorize must match one registered under Apps → your app → Redirect URIs. Trailing slashes count.

The id_token comes back without email. Request the email scope on top of openid profile. Some libraries only request openid by default.

I need to self-host this. You can. The foundation is open source: export your instance in standard format and stand it up in your own infrastructure. See Security model & portability.