Providers
AuthGate supports five OAuth providers, email + password authentication, and magic link authentication. Each OAuth provider requires credentials from the provider's developer console and a redirect URI pointing back to AuthGate.
Redirect URI
All providers require a redirect URI. Set this in each provider's developer console:
{AUTHGATE_URL}/api/proxy/callback/{provider}
For example: https://auth.example.com/api/proxy/callback/google
Google uses OAuth 2.0 with PKCE for enhanced security.
Setup
- Go to the Google Cloud Console
- Create a new OAuth 2.0 Client ID (Web application type)
- Add the redirect URI:
{AUTHGATE_URL}/api/proxy/callback/google - Copy the Client ID and Client Secret
Scopes requested
openidprofileemail
Returned fields
| Field | Source |
|---|---|
providerAccountId | ID token sub claim |
email | ID token email claim |
name | ID token name claim |
avatarUrl | ID token picture claim |
GitHub
GitHub uses standard OAuth 2.0 without PKCE.
Setup
- Go to GitHub Developer Settings
- Create a new OAuth App
- Set the Authorization callback URL to
{AUTHGATE_URL}/api/proxy/callback/github - Copy the Client ID and Client Secret
Scopes requested
user:emailread:user
Returned fields
| Field | Source |
|---|---|
providerAccountId | GitHub user id |
email | Primary verified email from /user/emails |
name | GitHub user name |
avatarUrl | GitHub user avatar_url |
Discord
Discord uses standard OAuth 2.0.
Setup
- Go to the Discord Developer Portal
- Create a new application
- Go to OAuth2 and add the redirect URL:
{AUTHGATE_URL}/api/proxy/callback/discord - Copy the Client ID and Client Secret
Scopes requested
identifyemail
Returned fields
| Field | Source |
|---|---|
providerAccountId | Discord user id |
email | Discord user email |
name | Discord user global_name (fallback to username) |
avatarUrl | Constructed from https://cdn.discordapp.com/avatars/{id}/{avatar}.png |
Azure / Entra ID
Azure uses OpenID Connect with PKCE.
Setup
- Go to the Azure Portal → App registrations
- Create a new registration
- Add the redirect URI (Web platform):
{AUTHGATE_URL}/api/proxy/callback/azure - Create a Client Secret under Certificates & secrets
- Copy the Client ID, Client Secret, and Tenant ID
Scopes requested
openidprofileemail
Returned fields
| Field | Source |
|---|---|
providerAccountId | ID token sub claim |
email | ID token email or preferred_username claim |
name | ID token name claim |
avatarUrl | Not available from Azure |
Apple
Apple Sign In uses a unique form_post response mode where the callback is a POST request.
Setup
- Go to the Apple Developer Portal
- Create a Services ID with Sign In with Apple enabled
- Configure the return URL:
{AUTHGATE_URL}/api/proxy/callback/apple - Create a private key for Sign In with Apple
- You'll need: Services ID (Client ID), Team ID, Key ID, and the private key
Scopes requested
nameemail
Returned fields
| Field | Source |
|---|---|
providerAccountId | ID token sub claim |
email | ID token email claim |
name | From the user form parameter (first authorization only) |
avatarUrl | Not available from Apple |
Apple only provides the user's name during the first authorization. On subsequent sign-ins, only the sub and email are available from the ID token.
Email + Password
Email + Password is not an OAuth provider — it's a separate authentication method that allows users to sign up and sign in with their email and a password.
Setup
No external provider configuration is needed. You need to configure AWS SES for sending verification and password reset emails:
- Set up AWS SES (see the infrastructure guide)
- Configure the
AWS_SES_ACCESS_KEY_ID,AWS_SES_SECRET_ACCESS_KEY,AWS_SES_REGION, andEMAIL_FROMenvironment variables - Enable the "Email + Password" provider in your project's dashboard settings
Features
- Email + password signup and signin
- Email verification via OTP code
- Password reset via email
- Rate limiting on all endpoints
Returned fields
| Field | Source |
|---|---|
provider | Always "email" |
email | User's email address |
name | User's display name (from signup) |
email_verified | true after entering verification code |
See the Email Authentication guide and Email Auth Endpoints for full details.
Magic Link
Magic Link is a passwordless authentication method — users receive an email with a one-time link that signs them in automatically. It is controlled independently from the Email + Password provider.
Setup
No external provider configuration is needed beyond AWS SES (same as Email + Password):
- Set up AWS SES (see the infrastructure guide)
- Configure the
AWS_SES_ACCESS_KEY_ID,AWS_SES_SECRET_ACCESS_KEY,AWS_SES_REGION, andEMAIL_FROMenvironment variables - Enable the "Magic Link" provider in your project's dashboard settings
Features
- Passwordless sign in via email link
- Automatic account creation for new users
- Email is automatically verified
- Rate limiting on send endpoint
Returned fields
| Field | Source |
|---|---|
provider | Always "magic-link" |
email | User's email address |
name | User's display name (if previously set) |
email_verified | Always true (verified by clicking the link) |
See the Email Auth Endpoints for the full API documentation.
MFA Policy
Each project can configure a multi-factor authentication policy that applies to all authentication methods:
- Off (default) — MFA is not available
- Optional — Users can enable MFA in their account settings
- Required — All users must enroll in MFA before accessing protected resources
Configure the MFA policy in your project's dashboard settings. See the MFA guide for full details.