One click lets a person carry a consented, revocable read of who they are into your app. You get their word, their rhythm, the force that moves them. Verifiable offline, forever. Never how to move them.
You will see the consent screen on noctaracorp.com, allow it with your email and mark, and land back here holding your read. Need a read first? Take one.
What happens
Your app sends the person to the Pupul consent screen with a scope.
They prove the read is theirs and choose Allow. Only what they allow is released.
You exchange a one-time code for a token, server-side.
You verify the token offline against the public JWKS. You never call us to check it.
They can revoke you at any moment from their dashboard. The token dies.
Offline-verifiable
ES256 tokens, checked against /.well-known/jwks.json. No callback to us, ever.
Consent-walled
Only the word, rhythm, force, and how to meet them are grantable. The control register never leaves the person.
Revocable
One tap at their dashboard kills every token an app holds.
Self-describing
Point an OAuth client at the discovery URL and it configures itself.
Add it in five minutes
discovery https://noctaracorp.com/.well-known/oauth-authorization-server
1. Send the person to:
/api/oauth/authorize?client_id=YOUR_ID
&redirect_uri=YOUR_CALLBACK
&scope=word rhythm force palace
&response_type=code&state=RANDOM
2. On your callback, exchange the code (server-side):
POST /api/oauth/token
grant_type=authorization_code
code, redirect_uri, client_id, client_secret
3. Verify the returned token against the JWKS, or call
/api/oauth/userinfo with the bearer token.
Want a client_id for your app? Request access. .
Read the integration docs. .
Honest scope: presence is a v1 confidence signal, not a calibrated biometric.