vCareer DOCS v0.1
Join waitlist
DOCS / GETTING STARTED / SIGN IN WITH VATSIM

Sign in with VATSIM

vCareer uses VATSIM Connect (OAuth 2.0) as the only identity provider. Your VATSIM CID is the user primary key — there are no separate vCareer passwords, usernames, or password resets.

~3 MIN READ

What happens on sign-in

  1. You click Alpha sign in.
  2. Our API generates a random state value, sets it in a signed cookie, and redirects you to auth.vatsim.net.
  3. You authenticate with VATSIM. If you're already signed in to VATSIM in this browser, this step is silent.
  4. VATSIM redirects back to vCareer's /auth/callback with an authorization code + the same state value.
  5. Our API exchanges the code for an access token, calls VATSIM's user-info endpoint once, and creates or updates your row in our database.
  6. A signed session cookie is set; the access token is discarded.

The whole round-trip takes one to three seconds. If anything fails (state mismatch, denied access, network blip), you're bounced back with an error instead of being half-logged-in.

What we read from VATSIM

The OAuth scope is read-only. We pull these fields exactly once per sign-in:

  • cid — your numeric VATSIM ID. Our user primary key.
  • personal.name_full — display name for the UI.
  • personal.country.code — used as your home country default in onboarding.
  • personal.email — stored only if you didn't opt out on VATSIM's side; never used for marketing.

We do not read: your VATSIM rating, controller endorsements, past sessions, ATIS history, or any other field VATSIM Connect could expose. The session pulls are public data feeds (see VATSIM API research) — they don't need OAuth scope.

What we store

A single row in the User table, keyed by your cid. Fields: vatsimCid, displayName, email, homeCountry, vCredBalance, createdAt, updatedAt. All in-game state (missions, ratings, classes, hangar) cascades from this row.

The OAuth access token is not persisted. We exchange the code, fetch the user once, and drop the token. Subsequent requests use our own session cookie.

Session + cookie

  • Type: signed JWT (HS256), kept in an HTTP-only cookie. JS on the page cannot read it.
  • Name: session. SameSite=Lax, Path=/, HttpOnly.
  • Lifetime: 7 days. There's no refresh — at expiry you sign in again.
  • Secret: server-side, rotated independently of any user action.

The intermediate oauth_state cookie (used to defend the callback against CSRF) lives 10 minutes and is deleted as soon as the callback completes.

Sign out + revoke

The Sign out button calls POST /auth/logout, which deletes the session cookie. To revoke vCareer's OAuth grant entirely, visit your VATSIM account settings and remove vCareer from the list of authorized applications.

Alpha-only gate

During alpha, only VATSIM CIDs on our allowlist can complete sign-in. A CID that authenticates successfully but isn't on the list is rejected before any database row is created — no User row, no accidental footprint.

You're then redirected to the landing page with ?denied=alpha in the query string, and a banner explains the situation + invites you to drop your email on the beta waitlist.

← PREVIOUS
Quickstart
 NEXT →
Declaring your sims