ONYX
Docs

Connect SDK

Request scoped access to Onyx ID from an connected app.

Connect SDK is the connected app integration layer for Onyx ID.

Use it when your app needs to sign a user in with Onyx, request scoped account access, check trust or eligibility, create app-linked conversations, or receive event updates.

Connect SDK does not export the full Onyx account.

Every access path is scoped, consented, revocable, and controlled by Onyx account state.

What Connect SDK Supports

Connect SDK supports:

  • Sign in with Onyx
  • scoped profile access
  • handle access
  • trust and verification assertions
  • consent requests
  • permission state checks
  • communication reach checks
  • pre-send checks
  • app-linked conversations
  • connected app messages
  • webhook events

Not every capability is available to every app.

Standard Flow

A typical integration follows this path:

  1. Create an app identity.
  2. Configure redirect URIs and allowed scopes.
  3. Sign the user in with Onyx.
  4. Request consent for the scopes your app needs.
  5. Check consent, trust, and reachability.
  6. Run a pre-send check before messaging.
  7. Create an app-linked conversation.
  8. Send an configured message.
  9. Receive webhook and delivery events.

The app should stop whenever the current state blocks the action.

Login Is Not Permission

Sign-in confirms that the user can access an Onyx account.

It does not grant messaging permission, trust assertions, payment eligibility, or unrestricted profile access.

Request those permissions separately when the user action requires them.

Scoped Access

Apps request access through scopes.

Scope categories include:

  • profile
  • handle
  • public links
  • trust read
  • verification assertions
  • communication reach
  • communication messaging
  • community access where enabled
  • session continuity

Request only what the app needs for the current feature.

Consent

Consent keeps connected app access visible to the user.

A consent request should show:

  • app name
  • requested scopes
  • intended use
  • requested account access
  • expiration timing when the permission has an expiration

Users can review, deny, revoke, or let access expire.

Messaging

Messaging access requires consent and a current communication permission.

Before sending, the app should check:

  • consent state
  • user reachability
  • message intent
  • thread state
  • app configuration
  • current reason codes

If the message is blocked, use the reason code to choose the next action.

Webhooks

Webhooks can notify your app about configured event types.

Events include:

  • consent changes
  • message outcomes
  • delivery updates
  • thread lifecycle changes
  • app review changes

Partners should validate webhook authenticity where signing is enabled and handle retries safely.

Privacy Limits

Apps should not receive:

  • unrestricted account access
  • identity documents
  • private verification evidence
  • private wallet material
  • unrelated payment history
  • unrelated communication history
  • private device or session state

Connect SDK exists to give trusted apps controlled access without exposing the rest of the account.