Back to all posts
product updates

Introducing Sendexa Central Auth: One Login for Every Product

Collins Vidzro
Collins Vidzro
CEO & Founder
May 16, 2026
7 min read
Introducing Sendexa Central Auth: One Login for Every Product

We built a centralized authentication system that gives every Sendexa product a unified, secure identity layer — one login, all dashboards, no friction.

As Sendexa grows into a multi-product platform, one challenge kept coming up: every new dashboard we built needed its own authentication. That meant separate login flows, separate sessions, and separate passwords for the same user. We decided to solve this properly — once — and build a central identity layer that every Sendexa product can plug into.

Today, that system is live. We call it Sendexa Central Auth.

The Problem We Were Solving

Sendexa has multiple product surfaces: the main dashboard, Letcol, the developer portal, and more on the way. Each one previously managed its own user sessions. If you logged into one, you were still unauthenticated on another. There was no SSO, no shared identity, and no single source of truth for who a user is.

We needed an architecture that could:

  • Authenticate a user once and let them move freely between products
  • Issue short-lived, secure tokens with refresh capability
  • Support multiple registered client apps (OAuth clients)
  • Share sessions securely across all .sendexa.co subdomains

How Central Auth Works

Central Auth is an OAuth-style Identity Provider (IDP) split across two domains:

  • auth.sendexa.co — the user-facing sign-in UI
  • onclick.sendexa.co — the backend API handling tokens, sessions, and code exchange

The flow is straightforward. When a user hits a Sendexa product without a valid session, they are redirected to the central sign-in page with a client_id and redirect_uri. After authenticating, the IDP issues a short-lived authorization code and redirects the user back to the product. The product's server then exchanges that code for an access_token and refresh_token behind the scenes.

Authentication Architecture

The SSO Cookie

The key to seamless SSO is a shared session_token cookie scoped to .sendexa.co. This means once you sign in at auth.sendexa.co, every other Sendexa subdomain sees that cookie automatically. Products can perform a silent session check — no redirect loop required — and get the user in without interruption.

// Cookie strategy
Domain:   .sendexa.co
HttpOnly: true
Secure:   true
SameSite: Lax

Security Decisions

We made deliberate, conservative decisions on security:

  • Passwords hashed with bcrypt at cost factor 12 — matching our existing system and strong enough for production without becoming a CPU bottleneck.
  • Auth codes expire in 5–10 minutes — they are single-use and linked to both the user and the registered OAuth client.
  • Redirect URI whitelisting — every OAuth client (product dashboard) must have its redirect URIs pre-registered. No unregistered URIs are accepted.
  • Login attempt tracking — groundwork is laid for rate limiting and MFA, which are coming in a future release.
"We built this so that every product we ship from now on gets enterprise-grade authentication for free, on day one." — Collins Vidzro, CEO

Integrating a New Product

Adding a new Sendexa product to Central Auth takes minutes. Set your environment variables, register your redirect_uri as a client, and redirect unauthenticated users to the sign-in page:

// Redirect unauthenticated users to Central Auth
const clientId = process.env.NEXT_PUBLIC_OAUTH_CLIENT_ID;
const redirectUri = encodeURIComponent(`${window.location.origin}/callback`);
const authUrl = `${process.env.NEXT_PUBLIC_AUTH_URL}/signin?client_id=${clientId}&redirect_uri=${redirectUri}`;

window.location.href = authUrl;

On the callback route, your server exchanges the code for tokens:

// Server-side code exchange
const response = await fetch(`${process.env.NEXT_PUBLIC_AUTH_API_URL}/oauth/token`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authCodeFromQuery,
    client_id: process.env.NEXT_PUBLIC_OAUTH_CLIENT_ID,
    client_secret: process.env.OAUTH_CLIENT_SECRET,
  }),
});

const { access_token, refresh_token, user } = await response.json();

What's Next

This release is the foundation. Planned improvements include:

  • Multi-business per user — currently each user belongs to one business; this will expand to support multiple memberships
  • MFA support — TOTP and SMS-based second factors
  • Refresh token rotation — automatic rotation on every use for replay protection
  • "Login with Sendexa" — making Central Auth available as a public OAuth provider for third-party integrations

Central Auth is now the backbone of every product we ship. It's one of the most important infrastructure investments we've made — and it's already live.

Introducing Sendexa Central Auth: One Login for Every Product