tryMellon documentation

A passwordless, OIDC-compliant auth platform built on WebAuthn passkeys. Drop-in SaaS — client_id + client_secret and you’re authenticating in 60 seconds.

Getting started

• Getting started — quickstart with the JS SDK.
• Installation — install and configure the SDK.
• Register & authenticate — signUp / signIn flows.
• Sandbox mode — develop without hitting prod.
• Framework examples — React, Svelte, Vue, Angular.
• Web components — drop-in <tm-passkey-button> family.

Backend integration

• Backend session validation — overview and patterns.
• Verify JWT offline — zero round-trip auth via JWKS.
• JWKS & key rotation — how the signing keys roll.
• Reading custom claims — decode app-scoped JWT claims.
• Session validation reference — admin endpoint reference.

Integrations (OIDC / OAuth)

• OpenID Connect integration — passport/Spring/Laravel/Rails.
• Token introspection (RFC 7662) — live revocation check.

Webhooks

• Webhook event catalog — all events with payload shapes.
• Handling revocation — invalidate local session caches.
• Signature verification — HMAC-SHA256, replay protection.

Dashboard

• Applications management — origins, webhook URL, lifecycle.
• API key rotation — zero-downtime rotation.

Advanced

• SDK custom claims — application-defined JWT claims.
• Action signing — sign sensitive operations with the user’s passkey.
• Cross-device QR — log in on desktop with the phone passkey.
• Email OTP fallback — fallback when no passkey is available.
• Account recovery — passkey loss recovery via email OTP.
• Entity enrollment — bridged enrollment for shared devices.
• QR-default integration — when QR is the primary entry.
• AI agents — programmatic auth for AI agents.
• Migration from Auth0 — bulk import + dual-write.

Reference

• Events & errors — SDK events, error codes, troubleshooting.
• Webhooks, audit, privacy — high-level reference.
• Admin API — server-to-server endpoints.
• API reference — full OpenAPI surface.
• Browser support — supported browsers and authenticators.
• Mobile testing — guide for testing on iOS/Android.
• Security — WebAuthn model and best practices.
• FAQ · Troubleshooting · Support.

Machine-readable index

The full doc manifest (slugs, categories, URLs) is published as JSON at /docs/index.json for AI agents and integration tooling.