This article describes the use of Single Sign-On (SSO) in the interaction between Super Apps and Mini Apps.
Single Sign-On (SSO) is an authentication mechanism that allows users to authenticate once in a Super App and gain access to various Mini Apps without the need to log in separately to each one. This improves the user experience, reduces the number of passwords users need to remember and enhances security by centralizing authentication.
When both, the Super App and the Mini App, support Single Sign-On (SSO), the process of loading a Mini App involves the following steps:
When loading a Mini App, the Super App invokes a URL on its backend, which serves as the Identity Provider (IDP), to obtain the authentication token required for SSO.
Once the Super App retrieves the token from the IDP, it is generated within the Mini App. This token is unique to the user and the specific Mini App being accessed.
If the Mini App is a Native GeneXus App integrated with GeneXus Access Manager (GAM), the GeneXus Super App Render itself sends this token when invoking backend services of the Mini App that require authentication.
If the Mini App is a Web application or uses another authentication mechanism (not GAM), the Super App provides the token to the Mini App by passing the token in the header during the invocation of the EntryPointURL for Web Mini Apps, or during the call to services for native Mini Apps. In this way, the Mini App developer is responsible for including this token in the invocation of secure services.
Upon receiving the token, the backend of the Mini App verifies it against the IDP of the Super App to ensure the authenticity and authorization of the user.
This process ensures seamless authentication and access to Mini Apps within the Super App ecosystem, enhancing user experience and security across the platform.

Below is detailed the authentication flow between Super Apps and Mini Apps using the OAuth 2.0 protocol. This involves several steps:
- Access authorization: The user authorizes or denies data to be shared with the Mini App.
- Display data options: If authorization is required, a list of data options to be shared with the Mini App is displayed to the user.
- Allow/Deny scopes: The user decides whether to allow or deny the requested data scopes for the Mini App.
- Token generation: Upon authorization, the Super App generates an access token and calls the Mini App's sign-in service.
- Access token retrieval: The Mini App requests an access token from the Super App Server using the provided code.
- User information retrieval: The Mini App retrieves user information from the Super App Server using the access token.
For more details, read HowTo: Use OAuth 2.0 endpoints to authenticate a Mini App from a Super App.
To configure Single Sign-On (SSO) in the Mini App Center, indicate that the Super App will use this authentication mechanism. Additionally, for each Mini App, ensure that it is configured to support SSO if the Super App has this feature enabled.
For that, the following configurations must be set:
- Super App is marked with Security = True
This setting indicates that the Super App supports security features, including SSO integration. See more information at Security Configuration in a Super App.
- Mini App version is marked with Integrated Security = True
This setting signifies that the Mini App Version supports integrated security features, including SSO functionality. Read more at Security Configuration in a Mini App Version.
This feature is available since GeneXus 18 Upgrade 11.
HowTo: Configure Single Sign-On (SSO) between a Super App and Mini App using GAM