Connect the Social Web with Magic Sign On

OpenWebAuth (OWA) is a federated remote authentication protocol. It can be used alongside protocols such as ActivityPub and Zot to add single sign-on to the Fediverse or to other "social web" projects such as blogs, forums, content websites, membership websites, web applications, communities, and more.

It also can be used to implement your own Single Sign On (SSO) system, allowing your users to sign onto your own websites without users having to create a separate local account on each one.

Light Weight and Versatile

A Flexible Federated Authentication Protocol

Social Web Identity
Single Sign On (SSO)
Access Control

OpenWebAuth (OWA)

also known as Magic Sign On, Remote Authentication, or rMagic

Allows you to sign onto websites, social media sites, and forums using your social identity.

There are two components: identity providers and websites. An identity provider, such as Hubzilla or Friendica, provides you with a social identity, while a website allows you to authenticate (i.e. sign on) with your social identity.

Identity Providers

The following platforms currently issue social web identities that can be used to sign onto other servers and websites:

  • Hubzilla
  • (streams)
  • Forte
  • Friendica
  • FedIAM

Support for Pixelfed and Mastodon has been proposed.

Destinations (Servers / Websites)

You can use your OpenWebAuth social web identity to sign on (remotely authenticate) on the following platforms:

  • Hubzilla
  • (streams)
  • Forte
  • FedIAM

Support for Bridgy Fed and Great Ape has been proposed.

How to Remotely Authenticate

Using remote authentication is easy. In many cases, it is automatic.

  1. Log into your home hub or instance on this device (and stay logged in).
  2. Enter your channel address on the sign on page and press the "authenticate" button.

The website will check and see if you are logged into your home hub or instance on this device, and if you are, it will remotely authenticate you.

If you try to authenticate and it returns you back to the authentication page, you are either not logged into your home hub, or you typed your channel name incorrectly.

OpenWebAuth vs. OAuth

Authentication Protocol vs. Authorization Protocol

One of the key differentiators between OpenWebAuth and OAuth is that OpenWebAuth is specifically for authenticating a user, whereas OAuth is primarily an authorization protocol.

With OpenWebAuth, you can issue social web identities to your users, allowing them to sign onto other servers. Since OpenWebAuth is not an authorization protocol (like OAuth), you are not granting the remote server any privileges on your server. You simply provide a user identity that can be used for federated single sign on.

For example, OpenWebAuth allows someone@example.social to log into example.com as someone@example.social, and example.com determines what someone@example.social can do on example.com. But example.com cannot impersonate support@example.social, nor can example.com control example.social on behalf of the user.

Whereas with OAuth (an authorization protocol), you can set it up so that example.com becomes an agent for someone@example.social and depending on how you set it up, example.com can manipulate example.social on behalf of the user.

OpenWebAuth purposefully limits the scope of power example.com has in relation to example.social. If you need authorization in addition to authentication, you can implement OAuth alongside OpenWebAuth.

OpenWebAuth (OWA)

Cross Platform
Privacy Respecting
Federated Single Sign On

FEP-61cf on Codeberg.org

Follow Us

You can view our social media channel at:

You can follow us on social media via:

  • ActivityPub
    openwebauth@magicsignon.org
  • Nomad / Zot
    openwebauth@magicsignon.org
  • Diaspora
    openwebauth@magicsignon.org
  • Mastodon
    @openwebauth@magicsignon.org
  • Bluesky / AT Protocol
    @magicsignon.org

Magic Auth

OpenWebAuth (OWA) is based on Magic Auth which was integrated into Hubzilla and its predecessors. In 2017, Magic Auth was spun off into its own protocol and called OpenWebAuth (OWA) to make it easier to port to other platforms. A Fediverse Enhancement Proposal (FEP) was submitted in 2024.