One central "Sign in with Google" broker for every *.arnao.ai and *.arnao.com property. Authentication only — openid email profile, nothing else. Built on Google Identity Services (ID-token flow): the broker holds no client secret.
your app ──link──▶ auth.arnao.ai/api/login?return=YOUR_URL
│ (validates return against the arnao allowlist)
▼
Google Identity Services button
(Google signs an ID token in-browser — no code, no secret)
│
▼ POST {credential, return}
/api/exchange (verifies the ID token: aud + iss + exp +
│ RS256 signature via Google JWKS, then
│ mints a 7-day HS256 session JWT)
▼
cookie arnao_auth on .arnao.ai ── redirect ──▶ back to YOUR_URL#signedin
(non-.arnao.ai hosts get ?arnao_token= instead; snippet stores it)
<a href="https://auth.arnao.ai/api/login?return=https://yourapp.arnao.ai/">Sign in with Google</a>
The page shows Google's own account chooser, so there is no
prompt=select_account parameter any more.
<script src="https://auth.arnao.ai/arnao-auth.js"></script>
<script>
arnaoAuth.user().then(user => {
if (user) console.log('hello', user.name, user.email, user.picture);
else arnaoAuth.login(); // or show your own button
});
// arnaoAuth.logout() to sign out
</script>
arnaoAuth.user() calls /api/verify with the cookie (or the stored
arnao_token for arnao.com/localhost hosts) and resolves to
{email, name, picture} or null. arnaoAuth.login()
sends the browser to the GIS sign-in page and back.
Two options for your backend:
AUTH_SECRET — verify locally with any JWT lib
(claims: sub, email, name, picture, iat, exp).GET https://auth.arnao.ai/api/verify with
Authorization: Bearer <token> → {ok:true, user:{…}} or 401.| Endpoint | What it does |
|---|---|
GET /api/login?return=URL | GIS sign-in page; return must be *.arnao.ai / *.arnao.com / localhost |
POST /api/exchange | Verifies the Google ID token (JWKS), mints the session, sets the cookie |
GET /api/verify | Cookie or Bearer → user JSON, CORS-enabled for arnao origins |
GET /api/logout?return=URL | Clear the session cookie |
GET /arnao-auth.js | The drop-in browser helper |
GET /api/callback | Legacy (410) — the old code-exchange flow is gone |
Session: 7-day HS256 JWT in an HttpOnly cookie on .arnao.ai.
Google ID tokens are verified against Google's JWKS (aud, iss, exp, RS256 signature)
before any session is minted. The broker uses only the public OAuth client ID —
there is no client secret to leak. Scopes never exceed openid email profile.