Social Accounts
AI Supreme Council supports multiple authentication methods so you can sign in from any device and link accounts across providers. Authentication is designed around security and resilience -- WebAuthn/Passkeys provide hardware-backed, phishing-resistant login that works even if third-party OAuth providers go down.
Supported Login Providers
Login providers are divided into two tiers based on whether the provider requires phone verification for account creation.
Tier 1: Phone-Verified (Can Register New Accounts)
These providers require phone verification to create an account, which serves as identity verification and anti-spam protection. You can use any of these to create a new AI Supreme Council account.
| Provider | Phone Required? | Notes |
|---|---|---|
| Yes (mandatory since 2021) | Most common login method worldwide | |
| Apple | Yes (mandatory for Apple ID) | Privacy-focused, hides email option |
| Yes (SMS/WhatsApp verification) | Supports WhatsApp verification in some regions | |
| Yes (China phone number) | Primary login method for users in China | |
| Telegram | Yes (phone-first, always required) | Phone number is the account identifier |
Tier 2: Link-Only (Cannot Register, Can Link)
These providers do not universally require phone verification, so they cannot be used to create a new account. However, once you have an account, you can link any of these for login convenience.
| Provider | Why Link-Only? | Useful For |
|---|---|---|
| GitHub | Email-only accounts exist | Developers who prefer GitHub login |
| Twitter/X | Phone became optional in 2023 | Social media integration |
| Discord | Phone is optional | Gaming and community users |
Registration means creating a brand new AI Supreme Council account. This requires a Tier 1 provider to verify your identity. Linking means connecting an additional login method to an existing account. Any supported provider can be linked after registration.
WebAuthn / Passkeys
WebAuthn is the primary authentication method, recommended for all users. It uses public-key cryptography backed by your device's hardware security module (TPM or Secure Enclave).
How it works
- Registration: Your device generates a public/private keypair. The public key is stored; the private key never leaves your device's secure hardware.
- Authentication: The platform sends a random challenge. Your device signs it with the private key after you confirm via biometric (fingerprint, face scan) or PIN.
- Verification: The signed challenge is verified against your stored public key. Total compute cost: one signature verification.
Benefits
- Phishing-immune -- the private key is bound to the domain, so it cannot be used on a fake site
- No passwords -- nothing to remember, nothing to steal, no password database to breach
- Works offline -- after initial registration, authentication is local to your device
- Biometric UX -- fingerprint or face scan is faster than typing a password
- Cross-device -- passkeys sync across your devices via iCloud Keychain, Google Password Manager, or Windows Hello
Register with a Tier 1 provider (like Google) to create your account, then set up a Passkey in Settings > Account. After that, you can log in with just your fingerprint or face scan -- no OAuth redirect needed.
Linking Additional Accounts
After creating your account, you can link additional login providers:
- Open Settings (gear icon in the header)
- Go to the Account section
- Under Linked Providers, click Link Account
- Choose a provider and complete the OAuth flow
- The provider appears in your linked list
Each linked provider becomes an alternative login method. Your identity is the same regardless of which provider you use to sign in.
Cross-Device Authentication
Passkeys are the recommended way to sign in across multiple devices:
- Apple devices: Passkeys sync via iCloud Keychain (iPhone, iPad, Mac)
- Android/Chrome: Passkeys sync via Google Password Manager
- Windows: Windows Hello supports passkeys with PIN, fingerprint, or face
For devices that do not support passkey sync, you can sign in with any linked OAuth provider.
Guest Mode
For self-hosted deployments where no authentication server is configured, guest mode provides full access to all features without signing in.
Guest mode is intended for personal/self-hosted use only. Guest sessions are local to the device and cannot sync across devices. There is no account to link providers to, and no way to recover data if the browser storage is cleared.
Guest mode activates automatically when:
- Running on
localhostor a.pages.devpreview domain - No auth configuration is detected
- The user explicitly chooses "Continue as Guest" on the login screen
Privacy: What Data Is Stored
AI Supreme Council stores minimal user data, and all of it stays on your device:
| Data | Storage Location | Shared with Server? |
|---|---|---|
| Name | localStorage (ais-user) | Only during OAuth flow |
localStorage (ais-user) | Only during OAuth flow | |
| Profile picture URL | localStorage (ais-user) | Only during OAuth flow |
| Login provider | localStorage (ais-user) | Only during OAuth flow |
| API keys | localStorage (ais-apikey-*) | Never -- sent only to LLM providers |
| Chat history | IndexedDB | Never |
| Bot configurations | IndexedDB | Never (unless you share via URL) |
| Settings | localStorage | Never |
The OAuth flow passes through the API server (api.aiscouncil.com) to handle provider callbacks, but user credentials are immediately passed back to the client via URL parameters and stored locally. The server does not maintain a user database for chat or bot data.
Account Security
- All OAuth tokens are verified server-side using the provider's public keys (RS256 JWKS for Google and Apple, HMAC-SHA256 for Telegram)
- Telegram replay protection prevents reuse of auth payloads (600-second nonce window)
- Input sanitization strips HTML special characters from all OAuth user data before storage
- Generic error messages are returned on auth failures to prevent information leakage; specific reasons are logged server-side only
Deleting Your Account
To remove your data:
- Open Settings > Account
- Click Delete Account
- Confirm the deletion
This clears all local data (profiles, chat history, settings, API keys) from the current device. Since data is stored locally, deleting on one device does not affect other devices where you may be signed in.