A single sign-on API for one-click corporate access

The brief

thriveologie does not sell to the public. It provides health and wellbeing services, articles, assessments, workshops, webinars and podcasts, to corporate customers, and each of those organisations has many staff who use the platform. That business model created two engineering problems worth solving properly.

This study is about the first: access. Every corporate's staff had to register and manage yet another password to reach the members area, which is friction at exactly the moment an organisation is trying to get its people to engage. thriveologie wanted that removed without ever blurring the line between one customer's users and another's. The second problem, connecting people within an organisation, became a separate build: the [community forum](Case Study thriveologie Forum.html).

Single sign-on, delivered as an API

We designed a single sign-on solution so a corporate's users reach the members area with one click and no separate password. We built it as two cooperating parts, so that thriveologie could operate it themselves rather than depending on us for every new customer.

• An SSO API that issues each corporate customer a unique client key and secret key, and authenticates incoming sign-in requests against them.
• An integration plugin on thriveologie's existing website that handles each request and grants or refuses access based on the authenticity and validity of the credentials presented.

The full sequence runs in one pass: the request is validated once, the user is looked up and created if new, a token is issued and the user is redirected back to their own site, where the token is verified and the session begins.

The result is self-service for thriveologie. They provision SSO for a new corporate from the platform dashboard, issue that organisation its credentials, and from then on the organisation's people sign in from their own website with a single click. We delivered the solution with technical documentation as standard, so the design is legible and maintainable rather than locked in our heads. It was built to scale: adding the next corporate customer is a configuration step, not a development project.

How it shipped

We built the API and the integration plugin together, so credential issuing and request validation were tested as one flow rather than two halves hoping to meet. The solution shipped with technical documentation as standard, covering how credentials are issued, how a request is validated, and how thriveologie's own team provisions and revokes access without us.

That handover was the point. thriveologie operates the single sign-on themselves: credentials are issued and managed from the platform dashboard, and onboarding the next corporate customer is configuration, not a new development project.

The result

thriveologie can switch on one-click access for each corporate customer from their own dashboard, removing the registration and password friction that sat between an organisation and its people engaging with the service. The design is documented and scalable, so onboarding the next customer adds value rather than maintenance.

This was the first of several engagements with thriveologie. We went on to build their [building-scoped community forum](Case Study thriveologie Forum.html) and a [bespoke booking system for their Mindspa booth](Case Study thriveologie Booking.html).