CurrencyCore Open Dashboard

API Reference

Single Sign-On (SSO)

Connect your corporate identity provider (Okta, Microsoft Entra ID, Google Workspace, …) so your team signs in to CurrencyCore over OIDC, with domain verification and optional enforcement.

CurrencyCore supports enterprise Single Sign-On (OIDC): your team signs in through your company identity provider (IdP) instead of an email + password or a personal Google account. SSO is an Enterprise capability.

How it works

  • Each provider is bound to one organization and an email domain.
  • The first time someone from that domain signs in, they’re routed to your IdP, and on success they join the organization automatically as a member.
  • Calls then run against that org exactly like any other member — same limits, usage, and billing.

Supported IdPs: any OIDC provider — Okta, Microsoft Entra ID / Azure AD, Google Workspace, Auth0, OneLogin, and others.

Set it up (admin / org owner)

In the dashboard, go to Single Sign-On (visible once your org is on Enterprise) and Add a provider:

  1. Email domain — e.g. acme.com.
  2. Issuer URL — your IdP’s OIDC issuer, e.g. https://acme.okta.com. The endpoints are auto-discovered.
  3. Client ID + secret — from an OIDC app you create in your IdP.

In your IdP, set the redirect/callback URL to:

https://api.currency-core.com/api/auth/sso/callback/<providerId>

Verify your domain

A new provider is inactive until you verify the domain — this proves you own it and is what makes auto-join and account-linking safe. The page shows a DNS TXT record to add at your DNS provider; once it’s live, click Verify. After that, the provider routes sign-ins for that domain.

Signing in

On the login page, enter your work email and choose Sign in with Single Sign-On. CurrencyCore matches the email’s domain to your provider and sends you to your IdP. (If an account with the same email already exists, it’s linked automatically once the domain is verified.)

Require SSO

Turn on Require SSO for an organization to force everyone on a verified SSO domain through the IdP — email + password and Google sign-in are then blocked for those addresses. Organization owners are exempt (a break-glass path so a misconfigured IdP can’t lock you out).

Notes

  • Provider configuration is Enterprise-gated; existing providers keep working even if a plan lapses (you just can’t add new ones).
  • v1 is OIDC only; SAML is on the roadmap.
  • Every SSO sign-in obeys the same authentication, limits & billing, and error handling as the rest of the API.