---
title: Accounts and credentials
description: How Sudomimus separates the person, their sign-in credentials, and
  their verified email ownership.
editUrl: true
head: []
template: doc
sidebar:
  order: 2
  hidden: false
  attrs: {}
pagefind: true
draft: false
---

Sudomimus keeps account identity, authentication credentials, and email ownership in separate records. This model is shared by Connect, OIDC, and native direct-issue.

| Record | What it represents |
|---|---|
| **Account** | The person: a stable internal record with profile data. It does not carry an email field. |
| **Authentication** | One credential the account can use, such as an email OTP login, passkey, Steam identity, OAuth identity, or enterprise federation identity. |
| **EmailIdentity** | A verified email the account owns. Each row records how ownership was verified, and at most one is primary. |

## Why they are separate

A credential proves **how this person can sign in**. An email identity proves **which email this person owns**. Those are related, but they are not the same fact.

For example:

- An email-OTP registration creates both an email credential and a verified email identity.
- A Google, GitHub, or Discord login can establish verified email ownership without enrolling email OTP as a login method.
- A Steam-only account can sign in without owning any verified email.
- Removing a login method does not, by itself, rewrite the account's email ownership history.

This separation lets the platform evaluate login methods, email-based access rules, and token claims without treating one credential table as the source of truth for everything.

## What applications see

The internal account identifier never leaves Sudomimus. Applications receive a purpose-scoped [sector subject](/en-us/concepts/pairwise-identity/) and only the [identity claims](/en-us/concepts/identity-claims/) that policy and user consent allow.