Authentication
Google One-tap
Passwordless sign-in with Google One-tap.
Google One-tap lets users sign in with a single tap using their Google account. The frontend shows Google's prompt, the backend verifies the ID token via Google's JWKS. No Google SDK needed server-side.
Setup
Get a client ID
Go to the Google Cloud Console, create an OAuth 2.0 credential, copy the Client ID.
Configure the plugin
import { createKavach } from 'kavachos';
import { oneTap } from 'kavachos/auth';
const kavach = await createKavach({
database: { provider: 'sqlite', url: 'kavach.db' },
plugins: [
oneTap({ clientId: process.env.GOOGLE_CLIENT_ID }),
],
});Add Google's script to your frontend
<script src="https://accounts.google.com/gsi/client" async></script>
<div id="g_id_onload"
data-client_id="YOUR_CLIENT_ID"
data-login_uri="/api/kavach/auth/one-tap/callback"
data-auto_prompt="true">
</div>How it works
- Google's JS shows a sign-in prompt on your page
- User taps their Google account
- Google sends a
credential(JWT ID token) to your callback - KavachOS verifies the JWT against Google's JWKS (
https://www.googleapis.com/oauth2/v3/certs) - Validates audience, issuer, expiry, and CSRF token
- Creates or links the user, returns a session
CSRF protection
Google sends a g_csrf_token cookie with the request. KavachOS validates that the cookie value matches the g_csrf_token field in the POST body.
Config
| Option | Type | Default | Description |
|---|---|---|---|
clientId | string | required | Google OAuth client ID |
autoCreateUser | boolean | true | Create user if not found |
csrfCookieName | string | "g_csrf_token" | CSRF cookie name |
Endpoint
| Method | Path | Description |
|---|---|---|
| POST | /auth/one-tap/callback | Verify ID token, create session |
Google One-tap requires HTTPS in production. It works on localhost for development.