Kinde Integration
Use Kinde as your identity provider with AINative Studio. This guide walks through connecting your Kinde application so your users can authenticate with Kinde JWTs and access AINative APIs, ZeroDB, and ZeroMemory.
Prerequisites
- A Kinde account with a business
- An AINative Studio account with a project and API key
- Your AINative project ID (found in the dashboard under Settings)
Step 1: Create an Application in Kinde
- Log in to your Kinde Dashboard
- Navigate to Settings > Applications > Add application
- Choose the application type:
- Single page web app for React, Vue, or Svelte frontends
- Back-end web app for Next.js or server-rendered apps
- Machine to machine for backend services and agents
- Note your Domain, Client ID, and Client Secret
Your Kinde domain follows the pattern {app}.kinde.com.
Step 2: Configure Redirect URIs
In your Kinde application settings, configure:
| Field | Value |
|---|---|
| Allowed callback URLs | https://your-app.com/callback, http://localhost:3000/callback |
| Allowed logout redirect URLs | https://your-app.com, http://localhost:3000 |
Kinde supports standard OIDC discovery at https://{app}.kinde.com/.well-known/openid-configuration.
Step 3: Register Kinde as an Identity Provider in AINative
Call the AINative API to register your Kinde application as a trusted identity provider:
curl -X POST https://api.ainative.studio/api/v1/auth/providers \
-H "Authorization: Bearer YOUR_AINATIVE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"provider": "kinde",
"domain": "YOUR_APP.kinde.com",
"client_id": "YOUR_KINDE_CLIENT_ID",
"jwks_uri": "https://YOUR_APP.kinde.com/.well-known/jwks",
"issuer": "https://YOUR_APP.kinde.com",
"claim_mapping": {
"user_id": "sub",
"email": "email"
}
}'
Claim Mapping
Kinde JWTs include these claims that AINative maps automatically:
| Kinde Claim | AINative Field | Description |
|---|---|---|
sub | user_id | Unique user identifier (e.g. kp_abc123def456) |
email | email | User email address |
Step 4: Test the Connection
Obtain a test token from Kinde and verify it works with AINative:
# Get a token from Kinde (M2M flow)
TOKEN=$(curl -s -X POST https://YOUR_APP.kinde.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=YOUR_KINDE_CLIENT_ID" \
-d "client_secret=YOUR_KINDE_CLIENT_SECRET" \
-d "grant_type=client_credentials" | jq -r '.access_token')
# Verify against AINative
curl -s https://api.ainative.studio/api/v1/auth/verify \
-H "Authorization: Bearer $TOKEN"
A successful response returns:
{
"valid": true,
"provider": "kinde",
"user_id": "kp_abc123def456",
"email": "user@example.com"
}
Step 5: Use Kinde JWTs with AINative APIs
Once the provider is registered, your users can authenticate with their Kinde tokens across all AINative services.
Chat Completions
curl -X POST https://api.ainative.studio/api/v1/chat/completions \
-H "Authorization: Bearer KINDE_USER_JWT" \
-H "Content-Type: application/json" \
-d '{
"model": "llama-3.3-70b",
"messages": [
{"role": "user", "content": "Hello from Kinde!"}
]
}'
ZeroDB Vector Search
curl -X POST https://api.ainative.studio/api/v1/zerodb/vectors/search \
-H "Authorization: Bearer KINDE_USER_JWT" \
-H "X-Project-ID: YOUR_PROJECT_ID" \
-H "Content-Type: application/json" \
-d '{
"query": "user onboarding flow",
"top_k": 5
}'
ZeroMemory Store
curl -X POST https://api.ainative.studio/api/v1/public/memory/v2/remember \
-H "Authorization: Bearer KINDE_USER_JWT" \
-H "Content-Type: application/json" \
-d '{
"content": "User completed onboarding",
"entity_name": "user_events"
}'
Step 6: Enable Row-Level Security for ZeroDB (Optional)
Row-Level Security (RLS) ensures that each user can only access their own data in ZeroDB. When enabled, the user_id claim from the Kinde JWT is automatically applied as a filter on all queries.
curl -X POST https://api.ainative.studio/api/v1/zerodb/projects/YOUR_PROJECT_ID/rls \
-H "Authorization: Bearer YOUR_AINATIVE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"user_id_claim": "sub",
"policy": "strict"
}'
With RLS enabled:
- Vectors: Automatically filtered by the
user_idextracted from the JWTsubclaim - Tables: Row-level filtering applied on reads and writes
- Files: Users can only access files they uploaded
- Memory: Each user gets isolated memory namespaces
Kinde Feature Flags
Kinde includes feature flags in JWTs. You can use these to gate access to specific AINative features in your application logic:
{
"feature_flags": {
"premium_ai": { "t": "b", "v": true },
"max_tokens": { "t": "i", "v": 4096 }
}
}
AINative does not process feature flags directly, but they are available in the decoded JWT for your application to use.
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
401 Unauthorized | Token expired or issuer mismatch | Verify the issuer matches your Kinde domain exactly |
403 Forbidden | RLS blocking access | Check that the sub claim in the JWT matches the data owner |
invalid_token error | JWKS URI unreachable | Confirm your Kinde domain is correct and accessible |
Missing email claim | Scopes not requested | Add openid email profile to your authorization request scopes |
Next Steps
- ZeroMemory Guide -- Add persistent memory to your Kinde-authenticated agents
- API Reference -- Full API documentation
- SDK Quick Start -- Client SDKs for React, Next.js, Vue, Svelte, and Python