Cargo A/C
Integration

OIDC Client Onboarding

Every surface is a standard OAuth client of auth.cargo.ac. Cross-domain SSO is handled by OpenID Connect (Authorization Code + PKCE + JWKS) — there is no shared-session bridge.

Authorization Code + PKCE flow

  1. 1

    Spoke starts authorize

    The app redirects to auth.cargo.ac/authorize with its client_id, redirect_uri, scope and a PKCE code_challenge.

  2. 2

    auth.cargo.ac authenticates

    Email or Google sign-in establishes the user against the central identity issuer.

  3. 3

    Code returned to callback

    auth.cargo.ac redirects back to the spoke's allowlisted /auth/callback with a short-lived authorization code.

  4. 4

    Token exchange + JWKS validate

    The spoke exchanges the code at /token (with code_verifier) and validates the ID/access token against auth.cargo.ac JWKS.

Endpoints

Issuer

https://auth.cargo.ac

Discovery

https://auth.cargo.ac/.well-known/openid-configuration

JWKS

https://auth.cargo.ac/.well-known/jwks.json

Cargo Account

https://one.cargo.ac

This console origin

https://admin.cargo.ac

Onboarding status

Surfaces running the Authorization Code + PKCE flow.

  • CW Network HUB
    Pending
  • Exchange
    Pending
  • CargoWorks ID
    Pending
  • Expert
    Pending
  • Support
    Pending
  • Delivery
    Pending
  • Cloud
    Pending
  • CargoWorks AI
    Onboarded
  • CargoWorks IO
    Pending
  • Cargo Directory
    Pending
  • Cargo E-Mail
    Pending
  • CW AI Website
    Pending
  • CW IO Website
    Pending
  • Directory Website
    Pending

go.cargo.ac is reserved

The legacy cross-domain token bridge is retired. go.cargo.ac is a reserved namespace for possible future federation, handoff or migration tooling — it is not part of any active authentication flow.

CargoWorks AI is the reference PKCE + JWKS implementation; remaining spokes follow the same onboarding template.