OAuth (Google, GitHub)

Ship "Sign in with Google" and "Sign in with GitHub" in minutes. The instance API handles state, code exchange, and session minting; your app just redirects to the authorize endpoint.

Configure providers

• Google: KL_GOOGLE_CLIENT_ID + KL_GOOGLE_CLIENT_SECRET. Redirect URI in the Google Cloud console: {KL_PUBLIC_BASE_URL}/v1/auth/oauth/google/callback.
• GitHub: KL_GITHUB_CLIENT_ID + KL_GITHUB_CLIENT_SECRET. Callback URL in GitHub OAuth app: {KL_PUBLIC_BASE_URL}/v1/auth/oauth/github/callback.
• Toggle per-instance: dashboard → app → settings → SSO connections → Social.

Start the flow

Send the user's browser to the provider's authorize URL. The API will 302 to the external provider with signed state.

<a href={apiBase + '/v1/auth/oauth/google/authorize'}>Sign in with Google</a>
<a href={apiBase + '/v1/auth/oauth/github/authorize'}>Sign in with GitHub</a>

Callback

After consent, the provider redirects back to /v1/auth/oauth/:provider/callback?code=…&state=…. The API validates state, exchanges the code for user info, finds or creates the user, sets the session cookies, and responds 200. Your front-end catches the redirect and moves on to the protected area.

Errors

• 400 missing_oauth_params — callback without both state and code.
• 401 oauth_state_mismatch — tampered state; re-initiate the flow.
• 401 oauth_provider_disabled — feature flipped off on the instance.