SandboxTest environment. Sandbox providers, no real verifications, data may be reset at any time.
Developer documentation

One identity layer for Australian real estate.

Add “Sign in with Agent ID” to your product in 30 minutes. Standards-based OAuth 2.1 + OpenID Connect, with claims tailored to real estate — agency context, role, licence, verified status.

Quickstart

Three steps from zero to a working sign-in.

1
Request OAuth credentials
Email engineering@agent-id.com.au with your display name, logo URL, redirect URIs, and the environments you're wiring (sandbox, live, or both). You'll receive a client_id and client_secret per environment.
2
Wire an OIDC client library
Auth.js (NextAuth v5), openid-clientfor Express, Authlib for Python, Auth0 SDKs — anything OIDC-compliant works. Point it at the discovery URL and you're done.
3
Read the claims
Decode the ID token. Agent ID-specific data lives under user_metadata: agent_id, agency_id, role, verified, branding_url.
Discovery URL
# Sandbox (use in your staging + local dev)
https://sandbox.agent-id.com.au/.well-known/openid-configuration

# Live (use only in production)
https://agent-id.com.au/.well-known/openid-configuration

Sandbox + Live, fully isolated

Two physical environments, identical code, separate databases. Test with confidence; ship with safety.

Sandbox
sandbox.agent-id.com.au
Test agents, throwaway data, FrankieOne UAT. Free to use. Wipeable at any time.

Use in your staging, QA, preview, and local dev.

No real PII — invent test agents and agencies freely.

Tokens carry mode: "test" for defence-in-depth assertions.

Live
agent-id.com.au
Real Australian real estate agents and agencies. Real FrankieOne identity and AML verification. Persistent, audit-logged data.

Use in your production environment only.

Tokens carry mode: "live".

Subject to AUSTRAC AML/CTF and Privacy Act obligations.

Each environment issues its own credentials. A token issued by sandbox cannot be validated against live (and vice versa) — the JWKS and issuer URL are different. Read the full mental model.

Drop-in Next.js integration

Auth.js handles PKCE, code exchange, JWKS validation, and refresh rotation. You write 30 lines.

app/api/auth/[...nextauth]/route.ts
import NextAuth from "next-auth";

const { handlers } = NextAuth({
  providers: [
    {
      id: "agent-id",
      name: "Agent ID",
      type: "oidc",
      issuer: process.env.AGENT_ID_ISSUER!,        // sandbox or live URL
      clientId: process.env.AGENT_ID_CLIENT_ID!,
      clientSecret: process.env.AGENT_ID_CLIENT_SECRET!,
      authorization: { params: { scope: "openid profile email" } },
      checks: ["pkce", "state"],
    },
  ],
  callbacks: {
    async jwt({ token, profile, account }) {
      if (account && profile) {
        const meta = (profile as any).user_metadata ?? {};
        token.agentId = meta.agent_id;
        token.agencyId = meta.agency_id;
        token.role = meta.role;
        token.verified = meta.verified;
        token.brandingUrl = meta.branding_url;
        token.mode = meta.mode;                    // "test" | "live"
        token.accessToken = account.access_token;
      }
      return token;
    },
  },
});

export { handlers as GET, handlers as POST };

Express + openid-client, Python + Authlib, raw OIDC — see the full integration guide for samples.

What you get in the token

All Agent ID-specific data lives under user_metadata. Standard OIDC claims are at the root.

ClaimTypeDescription
agent_idUUIDStable Agent ID. Use as your foreign key.
professional_namestringPublic-facing name. May differ from full_name.
agency_idUUID | nullActive agency context. Null = independent agent.
agency_namestring | nullAgency trading name.
roleenum | nullprincipal | admin | sales | property_mgr | support
verifiedbooleanAgent passed FrankieOne KYC + state licence check.
agency_verifiedbooleanAgency passed ABN + corporate licence verification.
licence_stateenum | nullVIC | NSW | QLD | WA | SA | TAS | ACT | NT
branding_urlURL | nullAgency manifest if a current agency is set, else agent manifest, else null.
mode"test" | "live"Defence-in-depth: which environment issued the token.

REST endpoints

Bearer-authenticated. Call with the access token from your OIDC client.

GET/v1/me

Full agent + active agency snapshot. Always fresh — use this when claims may be stale.

GET/v1/agencies/{id}

Agency profile. 403 if the calling agent isn't a member.

GET/v1/agencies/{id}/branding

Branding manifest with versioned asset URLs. Cache for 60s.

GET/v1/agents/{id}/branding

Independent-agent branding manifest. Used when agency_id is null.

Ready to integrate?

Get sandbox credentials in under a day. Live credentials follow once your integration is reviewed.