Express authentication

Express authentication lets users connect to your app without first creating a dedicated SweatStack account. They sign in directly with the wearable platform they already use (Garmin, Intervals.icu, etc.), SweatStack provisions their account behind the scenes, and the OAuth2 flow continues uninterrupted.

This matters most for first-time onboarding. A user who has never heard of SweatStack but already has a Garmin account can authorize your app in two steps instead of three. The drop-off you'd otherwise lose at "create yet another account" goes away.

What changes for your integration

Nothing on the API side. Express authentication is a SweatStack-side flow. Your app initiates the standard OAuth2 / OIDC flow as usual, and SweatStack handles everything from there.

What does change: the SweatStack login UI offers a "More options" path that surfaces the user's wearable platforms directly. If the user picks one and doesn't yet have a SweatStack account, SweatStack creates one for them, attaches the integration, and continues your OAuth2 flow.

The user-facing flow

1. Your app sends the user to https://app.sweatstack.no/oauth/authorize?... (the standard authorization URL).
2. SweatStack shows a sign-in page. The user can either enter their email (magic-link sign-in) or click "More options" to use a wearable.
3. If they pick a wearable, SweatStack redirects them to that wearable's OAuth flow.
4. After they grant permission, they come back to SweatStack. If they don't have a SweatStack account, one is created automatically.
5. If SweatStack can't extract an email from the wearable, the user is prompted for one (some wearables don't share email).
6. The standard OAuth2 consent screen appears for your app.
7. Your app receives the authorization code and exchanges it for tokens.

For users who already have a SweatStack account linked to that wearable, step 4 logs them in directly. The flow is the same number of clicks regardless.

Sending users straight to express authentication

By default, your authorization URL lands on the email-first sign-in page. Users have to click "More options" to see the wearable buttons.

If you'd rather skip the email step and present the wearable options first, you can direct users to the express-login URL instead:

https://app.sweatstack.no/express-login?state={state}

The state parameter is a base64-encoded JSON object with at minimum your client_id. Build it the same way you'd build the standard authorization URL parameters, then base64-encode them.

Trade-off: you skip the email-first step, but users who already have a SweatStack account also lose the email-sign-in path on the same page. Most apps building for an audience without existing SweatStack accounts find this is the right trade.

Supported wearables for express authentication

Currently:

• Garmin Connect
• Intervals.icu

The full list of integrations available for express auth grows as new platforms are added. The same OAuth2 endpoints work for all of them; SweatStack handles the per-platform specifics internally.

What it looks like for users

For a first-time user:

• Click your "Login with SweatStack" button.
• Click "More options".
• Click "Continue with Garmin".
• Authorize on Garmin.
• (If needed) enter email.
• Authorize your app.

That's three to four clicks total, no SweatStack account required up front. The user effectively sees SweatStack as a connector to their wearable, which is what it is.

Why this exists

The default OAuth2 flow assumes the user already has an account with the OAuth provider. For SweatStack, that assumption is wrong for almost every new user. They have a Garmin account, not a SweatStack account. Express authentication acknowledges that reality and removes the friction.

If you're building an app whose users are mostly new to SweatStack, this is the path you want them on.