OpenAnalyst AuthIntent Download Handoff
Use AuthIntent handoff when a 10x campaign, hosted run, or partner-controlled page needs to send a user into OpenAnalyst with a personalized sign-in context.
AuthIntent is an API-first handoff. 10x stores the sensitive sign-in session and allowlisted personalization context server-side, then gives the next surface only an opaque authIntentId.
What AuthIntent solves
Normal UTM parameters are useful for first-page attribution, but they are fragile across redirects, download pages, operating-system installers, and desktop app launches. AuthIntent makes the first capture durable:
- A trusted 10x or partner server creates an AuthIntent while the campaign context is still available.
- 10x stores the allowlisted
attributionandonboardingfields on the AuthIntent record. - Later URLs only need
authIntentId. - OpenAnalyst previews the intent, asks for the one-time code, and confirms the intent through 10x.
If UTMs are trimmed after AuthIntent creation, the context is still available from the AuthIntent record. If UTMs are trimmed before AuthIntent creation, 10x can only store the fields the creator or partner server sends at creation time.
Flow
Capture context before the download step
The campaign, hosted result, or partner server collects the user email and any campaign context that should survive handoff.
Create the AuthIntent from a trusted server
Call
POST /v2/partners/openanalyst/auth-intents/startwith the partner token. Do not call this route directly from an untrusted browser because the partner token is server-side credential material.Return or store the opaque id
The start response includes
authIntentId, expiry, masked delivery details, and safe preview data. Keep this id in the page state, server session, or handoff URL.Download or open OpenAnalyst
If OpenAnalyst is already installed, open
openanalyst://login?authIntentId=.... If the user must download first, keep the sameauthIntentIdon the post-download continue action.Verify the one-time code
OpenAnalyst calls the preview route, skips email entry, and posts
{ authIntentId, code }to the AuthIntent confirm route.
Create an AuthIntent
POST /v2/partners/openanalyst/auth-intents/start
Required auth: partner token in Authorization: Bearer <token> or x-10x-partner-token.
curl -sS -X POST "https://ai.10x.in/v2/partners/openanalyst/auth-intents/start" \
-H "Authorization: Bearer $OPENANALYST_PARTNER_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "alex@example.com",
"name": "Alex Rivera",
"externalIntentId": "hosted-run-2026-06-05-001",
"attribution": {
"source": "10x",
"medium": "hosted_run",
"campaign": "email-revenue-system",
"utmSource": "newsletter",
"utmMedium": "email",
"utmCampaign": "email-revenue-system",
"landingPage": "https://10x.in/agents/email-revenue-system"
},
"onboarding": {
"goal": "Set up an email revenue workflow",
"company": "Example Co",
"role": "Founder",
"useCase": "email-revenue-system",
"workspaceName": "Email Revenue System",
"planHint": "openanalyst"
}
}'{
"ok": true,
"authIntentId": "oai_EXAMPLEOPAQUEID",
"expiresAt": "2026-06-05T12:10:00.000Z",
"preview": {
"maskedEmail": "a****x@example.com",
"partnerDisplayName": "OpenAnalyst"
},
"codeDelivery": {
"deliveryMedium": "EMAIL",
"destination": "a****x@example.com"
}
}Context fields 10x accepts
10x sanitizes AuthIntent context before storing it. Unsupported fields are ignored, strings are trimmed, and the record is short-lived.
| Context object | Accepted keys |
|---|---|
attribution | source, medium, campaign, term, content, referrer, landingPage, affiliateId, partnerRequestId, utmSource, utmMedium, utmCampaign |
onboarding | goal, company, role, teamSize, useCase, workspaceName, planHint, industry, region |
Preview and confirm
OpenAnalyst uses the AuthIntent id to prepare the login screen:
GET /v2/auth/openanalyst/auth-intents/{authIntentId}/previewThe preview response is safe to show to the user. It includes the intent status, expiry, partner display information, and masked email. It does not expose the stored Cognito session, raw email, OTP, tokens, or full attribution payload.
OpenAnalyst then confirms the code:
POST /v2/auth/openanalyst/auth-intents/confirm{
"authIntentId": "oai_EXAMPLEOPAQUEID",
"code": "123456"
}10x loads the encrypted email and Cognito session from the AuthIntent record, verifies the code, and passes the authIntentId through the Cognito token-generation metadata. The token-claims flow consumes the intent once and forwards only sanitized attribution/onboarding context to OpenAnalyst provisioning.
URL and deep-link handoff
Use one of these handoff shapes:
| Situation | Handoff |
|---|---|
| Browser OpenAnalyst login | /login?authIntentId=oai_EXAMPLEOPAQUEID |
| Native desktop app is installed | openanalyst://login?authIntentId=oai_EXAMPLEOPAQUEID |
| User must download first | Keep authIntentId in the download page/session and show an "Open OpenAnalyst" or "Continue setup" action after install |
If a redirect service or analytics tool trims UTM parameters from these URLs, AuthIntent still works because the URL only needs authIntentId. If the authIntentId is also removed or lost, OpenAnalyst cannot recover the personalized context and falls back to normal sign-in and generic onboarding.
Failure cases
| Case | Expected behavior |
|---|---|
| AuthIntent feature is disabled | 10x returns 404 not_found for AuthIntent routes |
| Missing partner token on start | 10x returns 401 unauthorized |
| Expired AuthIntent | Confirm returns an auth-intent expiry error and the user must start again |
| Already consumed AuthIntent | Confirm is rejected; AuthIntents are single-use |
Lost authIntentId after download | OpenAnalyst can still sign in normally, but the personalized AuthIntent context is unavailable |
Source-backed contract
Current implementation anchors:
| Area | Source |
|---|---|
| AuthIntent id, TTL, allowlisted metadata, encryption helpers | src/shared/openanalyst-auth-intents.ts |
| Start, preview, and confirm routes | src/lambdas/api/domains/auth.ts |
| One-time consumption and OpenAnalyst provisioning context | src/lambdas/cognito-openanalyst-token-claims/handler.ts |
| OpenAnalyst web login and deep-link handling | OpenAnalyst-Package-private-src/packages/app/src/pages/login.tsx, OpenAnalyst-Package-private-src/packages/app/src/pages/layout/deep-links.ts |
Related guides
Updated Jun 19, 2026