API Reference
OAuth / Social Login
OAuth endpoints for Google, GitHub, Microsoft, and Apple sign-in.
Supported Providers
| Provider | Identifier |
|---|---|
google | |
| GitHub | github |
| Microsoft | microsoft |
| Apple | apple |
Authorize
GET /v1/auth/oauth/{provider}/authorize?redirect_url=https://app.example.com/callbackRedirects to the provider's authorization page. Uses PKCE (Proof Key for Code Exchange) internally for security.
Response: 302 redirect to provider.
Callback
GET /v1/auth/oauth/callback?code=xxx&state=yyyHandles the OAuth callback. Verifies the state parameter, exchanges the authorization code for tokens, finds or creates the user, and creates a session.
Response: 302 redirect to the application with session cookies set.
SDK Usage
import { Zautha } from '@zautha/sdk';
const zautha = new Zautha({ projectKey: 'pk_live_xxx' });
// Redirects the browser to Google's OAuth page
zautha.signInWithOAuth('google', {
redirectUrl: 'https://app.example.com/callback',
});Flow
1. Client calls signInWithOAuth('google', { redirectUrl })
2. SDK redirects to GET /v1/auth/oauth/google/authorize
3. Server generates state + PKCE, stores in ar_oauth_states
4. Server redirects to Google's consent screen
5. User authenticates at Google
6. Google redirects back to /v1/auth/oauth/callback
7. Server verifies state, exchanges code with PKCE
8. Server creates/links user, creates session
9. Server redirects to the application with session cookies