Self-Hosting
Deploy AuthGate on your own infrastructure. This guide covers the environment variables and OAuth app setup required for each provider.
Prerequisites
- Node.js 20+
- pnpm 9+
- PostgreSQL database (Neon recommended)
Clone the repository and install dependencies:
git clone https://github.com/your-org/authgate.git
cd authgate
pnpm install
Copy the example environment file:
cp apps/web/.env.example apps/web/.env.local
Environment variables
AuthGate uses two sets of OAuth credentials:
- Dashboard — for admin login to the AuthGate dashboard
- Proxy — for authenticating your end users through the proxy flow
Each set needs its own OAuth app because the callback URLs are different. Dashboard callbacks go to /api/auth/{provider}/callback, while proxy callbacks go to /api/proxy/callback/{provider}.
Core
| Variable | Required | Description |
|---|---|---|
DATABASE_URL | Yes | PostgreSQL connection string |
NEXT_PUBLIC_APP_URL | No | App URL, defaults to http://localhost:3000 |
Dashboard OAuth providers
These credentials let administrators sign into the AuthGate dashboard. All are optional — configure only the providers you want to offer for admin login.
GitHub
- Go to GitHub Developer Settings > OAuth Apps and click New OAuth App
- Set Homepage URL to your app URL (e.g.
https://auth.example.com) - Set Authorization callback URL to
{APP_URL}/api/auth/github/callback - Copy the Client ID and generate a Client Secret
GITHUB_CLIENT_ID=your_github_client_id
GITHUB_CLIENT_SECRET=your_github_client_secret
- Go to the Google Cloud Console > Credentials
- Create a new OAuth 2.0 Client ID (Web application type)
- Under Authorized redirect URIs, add
{APP_URL}/api/auth/google/callback - Copy the Client ID and Client Secret
GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret
Discord
- Go to the Discord Developer Portal > Applications and create a New Application
- Go to OAuth2 in the sidebar
- Under Redirects, add
{APP_URL}/api/auth/discord/callback - Copy the Client ID and Client Secret
DISCORD_CLIENT_ID=your_discord_client_id
DISCORD_CLIENT_SECRET=your_discord_client_secret
Microsoft (Azure AD)
- Go to the Azure Portal > App registrations and click New registration
- Set Supported account types based on your needs — use "Accounts in any organizational directory and personal Microsoft accounts" for broadest access
- Under Redirect URI, select Web and enter
{APP_URL}/api/auth/azure/callback - Copy the Application (client) ID and Directory (tenant) ID
- Go to Certificates & secrets, create a New client secret, and copy the value
AZURE_CLIENT_ID=your_azure_client_id
AZURE_CLIENT_SECRET=your_azure_client_secret
AZURE_TENANT_ID=common
Set AZURE_TENANT_ID to common for multi-tenant access, or use your specific tenant ID to restrict login to a single organization.
Proxy OAuth providers
These credentials are used by the AuthGate proxy to authenticate your application's end users. The setup steps for each provider are identical to the dashboard providers above, but the callback URLs use the proxy path instead. Proxy vars use the _PROXY_ infix to distinguish them from dashboard vars.
The redirect URI pattern is: {APP_URL}/api/proxy/callback/{provider}
GOOGLE_PROXY_CLIENT_ID=your_google_client_id
GOOGLE_PROXY_CLIENT_SECRET=your_google_client_secret
Redirect URI: {APP_URL}/api/proxy/callback/google
GitHub
GITHUB_PROXY_CLIENT_ID=your_github_client_id
GITHUB_PROXY_CLIENT_SECRET=your_github_client_secret
Redirect URI: {APP_URL}/api/proxy/callback/github
Discord
DISCORD_PROXY_CLIENT_ID=your_discord_client_id
DISCORD_PROXY_CLIENT_SECRET=your_discord_client_secret
Redirect URI: {APP_URL}/api/proxy/callback/discord
Microsoft (Azure AD)
AZURE_PROXY_CLIENT_ID=your_azure_client_id
AZURE_PROXY_CLIENT_SECRET=your_azure_client_secret
AZURE_PROXY_TENANT_ID=common
Redirect URI: {APP_URL}/api/proxy/callback/azure
Apple
APPLE_CLIENT_ID=your_services_id
APPLE_TEAM_ID=your_team_id
APPLE_KEY_ID=your_key_id
APPLE_PRIVATE_KEY=your_private_key
Redirect URI: {APP_URL}/api/proxy/callback/apple
See the Providers guide for detailed setup instructions and scopes for each proxy provider.
Email (AWS SES)
To enable email + password authentication for end users, deploy the SES infrastructure with Pulumi and configure the credentials:
AWS_SES_REGION=us-east-1
AWS_SES_ACCESS_KEY_ID=your_access_key
AWS_SES_SECRET_ACCESS_KEY=your_secret_key
See the Email Infrastructure guide for full Pulumi deployment and DNS setup instructions.
Running the app
Push the database schema and start the development server:
# Push database schema
pnpm --filter @auth-gate/web db:push
# Start development
pnpm dev
For production, build and start:
pnpm --filter @auth-gate/web build
pnpm --filter @auth-gate/web start
The dashboard will be available at your configured NEXT_PUBLIC_APP_URL.