Accounts and credentials
Sudomimus keeps account identity, authentication credentials, and email ownership in separate records. This model is shared by Connect, OIDC, and native direct-issue.
| Record | What it represents |
|---|---|
| Account | The person: a stable internal record with profile data. It does not carry an email field. |
| Authentication | One credential the account can use, such as an email OTP login, passkey, Steam identity, OAuth identity, or enterprise federation identity. |
| EmailIdentity | A verified email the account owns. Each row records how ownership was verified, and at most one is primary. |
Why they are separate
Section titled “Why they are separate”A credential proves how this person can sign in. An email identity proves which email this person owns. Those are related, but they are not the same fact.
For example:
- An email-OTP registration creates both an email credential and a verified email identity.
- A Google, GitHub, or Discord login can establish verified email ownership without enrolling email OTP as a login method.
- A Steam-only account can sign in without owning any verified email.
- Removing a login method does not, by itself, rewrite the account’s email ownership history.
This separation lets the platform evaluate login methods, email-based access rules, and token claims without treating one credential table as the source of truth for everything.
What applications see
Section titled “What applications see”The internal account identifier never leaves Sudomimus. Applications receive a purpose-scoped sector subject and only the identity claims that policy and user consent allow.