Sign in with your IndieWeb URL

If you already have an IndieWeb identity — your own personal site, a SignalKit instance, a micro.blog account, or any URL with IndieAuth set up — you can use that URL to sign up or sign in to Assurcast. No password to remember; you authenticate at your site.


What is IndieAuth?

IndieAuth is a federated sign-in protocol where your URL is your identity. Instead of trusting Assurcast with a password, you tell Assurcast which site is yours, and Assurcast redirects you to that site to prove you control it. The site sends a verified token back, and Assurcast logs you in. Your password (or whatever credential your own site uses) never touches Assurcast.

It's the same protocol micro.blog and the IndieWeb community use. Standardized at the W3C, supported by a growing ecosystem of personal-site hosts.

What you need

A URL you control that publishes IndieAuth metadata. Specifically, an HTML <link rel="authorization_endpoint" href="…"> in the page's <head>, OR a Link: HTTP response header pointing at the same. If your site is hosted on any of the following, this is already set up automatically:

  • SignalKit — if you run your own SignalKit instance, IndieAuth is built in. Use the URL of your SignalKit site.
  • micro.blog — your micro.blog domain works directly.
  • IndieLogin.com — if your site doesn't have IndieAuth but you have a GitHub account or PGP key, IndieLogin can verify on your behalf. Just point your URL at IndieLogin via a rel=me link to GitHub.
  • WordPress with the IndieAuth plugin, Drupal with the IndieWeb module, or any static site that includes the right <link> tags — all work.

Sign up with your URL

  1. Visit the Assurcast login page.
  2. In the lower form labelled "Your IndieWeb URL", enter your site address (e.g. https://your-site.com) and click Sign in with your URL.
  3. You'll be redirected to your own site to authenticate. Approve the request.
  4. Your site sends a verified identity back to Assurcast.
  5. If this is your first visit, you'll be asked to choose an Assurcast handle (your public username) and optionally provide an email for digest delivery. Email is not required — your URL is your identifier.
  6. Done. You now have a contributor account at Assurcast and can submit stories, build a profile, etc. Same features as email-based accounts.

On subsequent visits, just enter the same URL on the login page — no handle prompt, just straight in.

Link your URL to an existing email account

Already have an Assurcast account from before? You can keep your email login AND add an IndieAuth URL as a second sign-in option.

  1. Sign in with your email and password as usual.
  2. Visit Account Settings.
  3. Scroll to the IndieAuth Identity card.
  4. Enter your URL and click Link URL.
  5. You'll be redirected to your site to authenticate (same flow as signup).
  6. After approval, your URL is linked. You can sign in with either method going forward.

To remove the link later, return to Account Settings and click Unlink. Your account stays — only the IndieAuth sign-in option is removed.

Troubleshooting

"Could not find an IndieAuth authorization endpoint at that URL"
Your site doesn't advertise an authorization_endpoint. Add a <link rel="authorization_endpoint" href="…"> in the HTML <head>, or use a hosted IdP like IndieLogin.com.
"That URL is already linked to another Assurcast account"
Each IndieWeb URL can only be tied to one Assurcast account. If you have a second account using the same URL, sign in to it and unlink before re-linking elsewhere.
"State mismatch" or "session expired" errors
Usually caused by signing in across two browser tabs at once, or by closing the browser between starting the flow and approving at your site. Just start over from the login page.
I authenticated successfully but got redirected somewhere unexpected
Existing accounts go to /admin for admins/editors, /account for contributors. New accounts go to a profile-completion form first. If you see a 404 or unrelated page, the redirect URL in the IndieAuth round-trip may be misconfigured — please contact us with the URL you tried to use.

Why IndieAuth?

Because identity should belong to you, not the platform. Most sites today require you to create yet another account, store your password (hopefully hashed correctly), and trust the operator with your email. IndieAuth lets you keep all that on a site you control. Assurcast just confirms the round-trip and stores nothing sensitive — only your URL and the public handle you choose.

For audit professionals especially, this matters: you're likely already invested in a personal site or a community-hosted publishing platform. Use the identity you already have.

Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →