Authentication
How sign-in works with Solid OIDC
mnera.io uses Solid OIDC — an identity layer built on top of OpenID Connect (OIDC) — to authenticate you with your Solid pod without storing any credentials itself.
Two sign-in systems
mnera.io has two separate sign-in systems. They are independent — you can use one, both, or neither depending on what you want to do.
| Sign-in | Purpose | Page |
|---|---|---|
| Solid pod | Access your bookmarks | /account/login/solid |
| mnera.io account | Save settings, manage subscription | /account/login |
Solid pod sign-in flow
- Go to the Solid sign-in page and select your identity provider from the dropdown, or type a custom URL
- Click Continue — mnera.io discovers your provider's OIDC configuration
- You are redirected to your identity provider to enter your credentials
- After you approve, you are redirected back to mnera.io with an access token
- The token is bound to a DPoP key pair, so it cannot be used by a third party even if intercepted
mnera.io account sign-in
The mnera.io account uses a standard email and password. It is entirely separate from your Solid pod — signing in or out of one does not affect the other. The account is used to store your UI preferences and manage a Pro subscription.
After signing in to your mnera.io account, if your Solid pod session is already active you are taken directly to your bookmarks. Otherwise you are prompted to sign in with your pod.
Session persistence
Your Solid pod session is stored in the browser's memory and restored on page reload using handleIncomingRedirect({ restorePreviousSession: true }). Sessions expire according to your identity provider's settings; mnera.io refreshes tokens automatically.
Which identity providers are supported?
Any Solid-compliant OIDC provider works. A popular option is solidcommunity.net. You can also self-host using Community Solid Server or other implementations.
DPoP
DPoP (Demonstration of Proof of Possession) is a security mechanism that binds each access token to a specific key pair held by your browser. This prevents token theft — a stolen token cannot be used without the matching private key. mnera.io generates a DPoP key pair in your browser and never sends the private key anywhere.