App Onboarding Guide
How to pair your device, approve requests, and manage servers in the Sigil Auth app
App Onboarding Guide
Sigil Auth replaces passwords and codes with push approvals using your phone’s secure hardware. This guide shows you how to pair your device and approve authentication requests.
What You’ll Learn
- How to pair your phone with a server
- How to approve login and action requests
- How to manage multiple servers
- What happens if you lose your device
- How multi-party approval works
Your First Pairing
When you first install Sigil Auth, the app walks you through a brief intro. Then you’re ready to pair with your first server.
Step 1: Start pairing from your computer
On the website or app you’re trying to authenticate with, look for a “Set up Sigil Auth” or “Pair device” option. You’ll see one of these:
- A QR code
- An 8-digit pairing code
- A “Send to phone” button
Step 2: Open Sigil Auth on your phone
Tap Pair with server on the home screen.
Step 3: Choose your pairing method
Scan QR code — Point your camera at the code on your computer. The app reads it automatically.
Enter code — Type the 8-digit code shown on your computer.
Tap link — If you clicked “Send to phone”, tap the notification or link that opens the app.
Step 4: Verify the server
The app shows you the server’s identity:
- Server name (e.g., “Acme Corp”)
- Pictogram — Five emoji that uniquely identify this server
If you’re pairing with Acme Corp and you see five random emoji you’ve never seen before, that’s correct. The pictogram is generated from the server’s cryptographic key — it’s like a visual fingerprint.
[!IMPORTANT] Check that the server name matches what you expect. If you’re pairing with your work account and it says “Random Gaming Site”, something’s wrong. Cancel and contact support.
Tap Yes, Continue if everything looks right.
Step 5: Biometric setup
The app asks for Face ID, Touch ID, or fingerprint permission (depending on your device).
This is how you’ll approve requests. Every approval requires your biometric — the app can’t approve anything without you.
Tap Allow or Set Up and follow your device’s prompts.
Step 6: Done
That’s it. You’re paired. The app shows the server in your list, and you’ll get push notifications when the server needs you to approve something.
Approving Requests
When a server needs you to authenticate or approve an action, you get a push notification:
“Acme Corp is requesting approval”
Tap it to see the details.
What you’ll see
The approval screen shows:
- Server name and pictogram (so you know who’s asking)
- What they’re asking for (e.g., “Sign in to your account” or “Transfer $5000”)
- Action details — If it’s a sensitive action, you’ll see specifics like who, what, and why
Read it. Make sure it’s something you expect.
Approve or deny
Tap “Approve with Face ID” (or Touch ID, fingerprint, etc.) — The app prompts for your biometric. Look at the camera or place your finger. Done. The server gets a cryptographic signature proving you approved.
Tap “Deny” — The request is rejected. The server knows you said no.
If you ignore it
Requests expire after 5 minutes. If you don’t respond, the server treats it as a timeout and the login or action fails.
You can always go back to the app and check your recent activity to see what was requested.
Managing Multiple Servers
Sigil Auth works with as many servers as you want. Pair with your work account, your bank, your gaming platform — they all show up in one list.
Each server has its own:
- Name
- Pictogram
- List of recent requests
To see all your servers, tap the Servers tab at the bottom.
To remove a server, swipe left (iOS) or long-press (Android) and tap Remove. You’ll need to re-pair if you want to use it again.
Multi-Party Approval
Some actions require multiple people to approve. For example, your company might require two out of three team leads to approve a server reboot.
When you get a multi-party approval request, the screen shows:
“Cold boot engine ENG-001”
1 of 2 approvals received. Waiting for one more.
You’re one of several people who can approve. The action doesn’t happen until enough people say yes.
If you approve, you’ll see “Waiting for other approvers.” You can close the app — you’ll get a notification when the action completes or times out.
If someone else denies the request, everyone gets notified and the action is cancelled.
What If I Lose My Device?
Your private key is locked inside your phone’s secure chip. If you lose your phone:
- Contact the services you’ve paired with and tell them to remove that device
- Install Sigil Auth on your new phone
- Re-pair with each server
There’s no way to “transfer” your key to a new device — the key never leaves the hardware. That’s the security property that makes this work.
Backup and recovery
When you pair with a server, the app shows you a recovery mnemonic (24 words). Write it down and keep it somewhere safe.
If the server loses its key, it can regenerate from the mnemonic. But this doesn’t recover your device’s key — you’ll still need to re-pair.
[!NOTE] The mnemonic backs up the server’s identity, not your device’s key. Your device key is hardware-bound and non-exportable.
Security Tips
Screenshots and screen recording
When the app shows sensitive information (like your recovery mnemonic), it blocks screenshots. If you try to take one, you’ll get a black screen. This is intentional — it prevents accidental leaks.
Biometric changes
If you add a new fingerprint or change your Face ID enrollment, your device key is invalidated. You’ll need to re-pair with all servers. This prevents someone from adding their own fingerprint to your phone and approving requests.
App permissions
Sigil Auth needs:
- Camera — To scan QR codes
- Notifications — To receive approval requests
- Biometric — To approve requests
You can deny camera permission and enter codes manually. But notifications and biometric are required — without them, the app can’t work.
Verify the pictogram
Every server has a unique pictogram. When you approve a request, check that the pictogram matches the one you saw during pairing. If it’s different, something’s wrong. Deny the request and contact support.
Troubleshooting
“No connection. Tap to retry when you’re back online.”
The app can’t reach the server. Check your internet connection. If you’re on wifi, try cellular data.
“This request has expired. Ask them to send a new one.”
The approval request timed out. Go back to the website or app and try again.
“Couldn’t reach [Server Name]. They may be having issues.”
The server is down or unreachable. Wait a few minutes and try again, or contact their support.
“Set up Face ID in your device settings to continue.”
You haven’t enabled biometric authentication on your device. Go to Settings → Face ID & Passcode (iOS) or Settings → Security → Biometric (Android) and set it up.
“This device was removed from [Server Name]. Re-register to continue.”
Someone (maybe you, maybe an admin) removed this device from the server. You’ll need to pair again.
Privacy
Sigil Auth doesn’t collect or store any personal data. The app only knows:
- The servers you’ve paired with
- Recent approval requests (stored locally on your device)
The servers you pair with handle their own user data. Sigil Auth just handles the cryptographic signing.
Your private key never leaves your device. Not to Sigil, not to the server, not to anyone.
Next Steps
- Integrator Quickstart — For developers adding Sigil Auth to their app
- Self-Hosting Guide — For teams running their own Sigil Auth server
- MPA Setup — For admins configuring multi-party approval policies
If something’s not working, check the server’s documentation or contact their support. Sigil Auth is the approval mechanism — the server you’re pairing with owns the user accounts and policies.