kavachOS
Authentication

Google

Sign in with Google using OAuth 2.0 and OpenID Connect.

Get credentials

Create a project

Go to Google Cloud Console and create a new project (or select an existing one).

Enable the People API

Navigate to APIs and Services > Library, search for "Google People API", and enable it. This lets KavachOS fetch the user's name and profile picture.

Create OAuth credentials

Go to APIs and Services > Credentials > Create Credentials > OAuth client ID.

  • Application type: Web application
  • Authorized redirect URIs: https://auth.example.com/auth/oauth/google/callback

Copy the Client ID and Client Secret.

Under OAuth consent screen, set the app name, support email, and authorized domain. For production, submit for verification if you need access to sensitive scopes.

Configuration

lib/kavach.ts
import { createKavach } from 'kavachos';
import { oauth } from 'kavachos/plugins/oauth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    oauth({
      providers: [
        {
          id: 'google', 
          clientId: process.env.GOOGLE_CLIENT_ID!, 
          clientSecret: process.env.GOOGLE_CLIENT_SECRET!, 
        },
      ],
    }),
  ],
});

Add to your environment:

GOOGLE_CLIENT_ID=...apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...

Scopes

Default scopes: openid email profile

These give you name, email, and profile picture. To request additional permissions:

{
  id: 'google',
  clientId: process.env.GOOGLE_CLIENT_ID!,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
  scopes: ['openid', 'email', 'profile', 'https://www.googleapis.com/auth/calendar.readonly'],
}

Extra scopes beyond openid email profile require your app to complete Google's verification process before they work for users outside your organization.

User data returned

FieldSourceNotes
idsub claimStable Google user ID
emailemail claimVerified by Google
namename claimFull display name
imagepicture claimProfile photo URL

Initiating sign-in

Redirect users to:

GET /auth/oauth/google/authorize

Or add a query parameter to control the post-sign-in destination:

GET /auth/oauth/google/authorize?redirectTo=/dashboard

OAuth providers

How OAuth 2.0 sign-in works in KavachOS and how to add any provider.

GitHub

Sign in with GitHub using OAuth 2.0.

On this page

Get credentials
Create a project
Enable the People API
Create OAuth credentials
Configure the consent screen
Configuration
Scopes
User data returned
Initiating sign-in