Social Accounts

AI Supreme Council supports multiple authentication methods so you can sign in from any device and link accounts across providers. Authentication is designed around security and resilience -- WebAuthn/Passkeys provide hardware-backed, phishing-resistant login that works even if third-party OAuth providers go down.

Login providers are divided into two tiers based on whether the provider requires phone verification for account creation.

Tier 1: Phone-Verified (Can Register New Accounts)

These providers require phone verification to create an account, which serves as identity verification and anti-spam protection. You can use any of these to create a new AI Supreme Council account.

Provider	Phone Required?	Notes
Google	Yes (mandatory since 2021)	Most common login method worldwide
Apple	Yes (mandatory for Apple ID)	Privacy-focused, hides email option
Facebook	Yes (SMS/WhatsApp verification)	Supports WhatsApp verification in some regions
WeChat	Yes (China phone number)	Primary login method for users in China
Telegram	Yes (phone-first, always required)	Phone number is the account identifier

Tier 2: Link-Only (Cannot Register, Can Link)

These providers do not universally require phone verification, so they cannot be used to create a new account. However, once you have an account, you can link any of these for login convenience.

Provider	Why Link-Only?	Useful For
GitHub	Email-only accounts exist	Developers who prefer GitHub login
Twitter/X	Phone became optional in 2023	Social media integration
Discord	Phone is optional	Gaming and community users

Registration vs. Linking

Registration means creating a brand new AI Supreme Council account. This requires a Tier 1 provider to verify your identity. Linking means connecting an additional login method to an existing account. Any supported provider can be linked after registration.

WebAuthn / Passkeys

WebAuthn is the primary authentication method, recommended for all users. It uses public-key cryptography backed by your device's hardware security module (TPM or Secure Enclave).

How It Works

Registration: Your device generates a public/private keypair. The public key is stored; the private key never leaves your device's secure hardware.
Authentication: The platform sends a random challenge. Your device signs it with the private key after you confirm via biometric (fingerprint, face scan) or PIN.
Verification: The signed challenge is verified against your stored public key. Total compute cost: one signature verification.

Benefits

Phishing-immune -- the private key is bound to the domain, so it cannot be used on a fake site
No passwords -- nothing to remember, nothing to steal, no password database to breach
Works offline -- after initial registration, authentication is local to your device
Biometric UX -- fingerprint or face scan is faster than typing a password
Cross-device -- passkeys sync across your devices via iCloud Keychain, Google Password Manager, or Windows Hello

Recommended setup

Register with a Tier 1 provider (like Google) to create your account, then set up a Passkey in Settings > Account. After that, you can log in with just your fingerprint or face scan -- no OAuth redirect needed.

Local Accounts

AI Supreme Council also supports local accounts with password authentication. This is useful for environments where OAuth providers are unavailable (e.g., restricted networks in China).

How Local Accounts Work

Password hashing: PBKDF2 with 100,000 iterations and SHA-256, using a random 16-byte salt
Storage: Password hash and salt are stored in localStorage under ais-known-accounts
Security: The plain-text password is never stored -- only the derived hash

Creating a Local Account

On the login screen, click "Create local account"
Enter your name, email, and password
The password is hashed via Web Crypto API (crypto.subtle) and stored locally
Your account appears in the account picker on subsequent visits

Unlocking a Local Account

When returning to the app, password-protected accounts show a lock icon in the account picker. Click the account card, enter your password, and it is verified against the stored hash before granting access.

Account Picker

When multiple accounts exist on a device, the login screen shows an account picker listing all known accounts sorted by most recent login. Each account card displays:

Profile picture (or first letter fallback)
Name and email
Auth type badge (Local or provider name)
Lock icon if password-protected
Owner badge if the account is the device owner

Device Ownership

The first account created on a device becomes the device owner. Ownership controls:

The owner account cannot be removed from the picker while other accounts exist
Ownership can be transferred to another account via the "Set as owner" button
If a device password is set, transferring ownership requires entering the device password

Account Removal

Non-owner accounts can be removed from the picker by clicking the X button. Password-protected accounts require entering the account password before removal. Removing an account from the picker does not delete any data -- it only removes the entry from the login screen.

Device Password

A device-level password can be set to protect the account picker itself. When enabled:

The account picker is hidden behind a password gate
Users must enter the device password before seeing any accounts
All sensitive operations (ownership transfer, account removal) require the device password

Multi-Account Support

The platform supports multiple accounts on a single device:

OAuth accounts can be re-authenticated by clicking their card (uses cached JWT if still valid, otherwise redirects to the OAuth provider)
Local accounts unlock with their individual passwords
Account auto-expiry can be configured to remove inactive accounts after a set number of days

Linking Additional Accounts

After creating your account, you can link additional login providers:

Open Settings (gear icon in the header)
Go to the Account section
Under Linked Providers, click Link Account
Choose a provider and complete the OAuth flow
The provider appears in your linked list

Each linked provider becomes an alternative login method. Your identity is the same regardless of which provider you use to sign in.

Cross-Device Authentication

Passkeys are the recommended way to sign in across multiple devices:

Apple devices: Passkeys sync via iCloud Keychain (iPhone, iPad, Mac)
Android/Chrome: Passkeys sync via Google Password Manager
Windows: Windows Hello supports passkeys with PIN, fingerprint, or face

For devices that do not support passkey sync, you can sign in with any linked OAuth provider.

Guest Mode

For self-hosted deployments where no authentication server is configured, guest mode provides full access to all features without signing in.

Guest mode limitations

Guest mode is intended for personal/self-hosted use only. Guest sessions are local to the device and cannot sync across devices. There is no account to link providers to, and no way to recover data if the browser storage is cleared.

Guest mode activates automatically when:

Running on localhost or a .pages.dev preview domain
No auth configuration is detected
The user explicitly chooses "Skip setup" on the login screen

Privacy: What Data Is Stored

AI Supreme Council stores minimal user data, and all of it stays on your device:

Data	Storage Location	Shared with Server?
Name	`localStorage` (`ais-user`)	Only during OAuth flow
Email	`localStorage` (`ais-user`)	Only during OAuth flow
Profile picture URL	`localStorage` (`ais-user`)	Only during OAuth flow
Login provider	`localStorage` (`ais-user`)	Only during OAuth flow
API keys	`localStorage` (`ais-apikey-*`)	Never -- sent only to LLM providers
Known accounts	`localStorage` (`ais-known-accounts`)	Never
Password hashes	`localStorage` (`ais-known-accounts`)	Never
Chat history	IndexedDB	Never
Bot configurations	IndexedDB	Never (unless you share via URL)

note

The OAuth flow passes through the API server (api.aiscouncil.com) to handle provider callbacks, but user credentials are immediately passed back to the client via URL parameters and stored locally. The server does not maintain a user database for chat or bot data.

Account Security

All OAuth tokens are verified server-side using the provider's public keys (RS256 JWKS for Google and Apple, HMAC-SHA256 for Telegram)
Telegram replay protection prevents reuse of auth payloads (600-second nonce window stored in KV)
Input sanitization strips HTML special characters from all OAuth user data before storage (name, email, picture, provider)
Generic error messages are returned on auth failures to prevent information leakage; specific reasons are logged server-side only via auditLog()
Local passwords are hashed with PBKDF2 (100K iterations, SHA-256) -- the plain text is never stored
Session JWTs are cached locally and checked for expiry before use; expired tokens trigger a fresh OAuth flow

Deleting Your Account

To remove your data:

Open Settings > Account
Click Delete Account
Confirm the deletion

This clears all local data (profiles, chat history, settings, API keys) from the current device. Since data is stored locally, deleting on one device does not affect other devices where you may be signed in.

Supported Login Providers​

Tier 1: Phone-Verified (Can Register New Accounts)​

Tier 2: Link-Only (Cannot Register, Can Link)​

WebAuthn / Passkeys​

How It Works​

Benefits​

Local Accounts​

How Local Accounts Work​

Creating a Local Account​

Unlocking a Local Account​

Account Picker​

Device Ownership​

Account Removal​

Device Password​

Multi-Account Support​

Linking Additional Accounts​

Cross-Device Authentication​

Guest Mode​

Privacy: What Data Is Stored​

Account Security​

Deleting Your Account​

Supported Login Providers