nself oauth

Configure OAuth providers for the nSelf auth service. Enable social login with any of 13 built-in providers — no code changes required.

Quick start

# See all available providers
nself oauth providers

# Enable Google login
nself oauth enable google

# Verify the connection
nself oauth test google

Synopsis

nself oauth <SUBCOMMAND> [FLAGS]

Description

nself oauth manages the OAuth 2.0 / OIDC provider configuration inside your running auth service. Each provider requires a client ID and secret from the provider's developer console. The CLI writes these into the auth service environment and hot-reloads the configuration — no container restart needed.

All 13 providers are shipped in the core auth service. Enabling a provider costs nothing beyond your own credentials from that provider.

Supported providers

Provider	Protocol	Notes
`google`	OIDC	Includes workspace.google.com scopes
`github`	OAuth 2.0	Personal + org account support
`gitlab`	OIDC	Self-hosted GitLab URLs supported
`discord`	OAuth 2.0	Guild membership scope available
`twitter`	OAuth 2.0 (v2)	X / Twitter API v2
`facebook`	OAuth 2.0	Requires business verification for production
`apple`	Sign in with Apple	Requires Apple Developer account
`linkedin`	OAuth 2.0	OpenID Connect via LinkedIn v2
`twitch`	OAuth 2.0	Broadcaster and viewer scopes
`spotify`	OAuth 2.0	PKCE flow enforced
`slack`	OAuth 2.0	Workspace-scoped tokens
`microsoft`	OIDC	Azure AD / Entra ID; tenant configurable
`keycloak`	OIDC	Bring-your-own Keycloak server URL

Subcommands

nself oauth providers

List all available providers and their enabled/disabled status.

nself oauth providers
# PROVIDER     STATUS    REDIRECT URI
# google       enabled   https://auth.yourdomain.com/v1/callback
# github       disabled  —
# apple        disabled  —
# ...

nself oauth providers show <name>

Show the full configuration for a single provider, including which env vars are set and what redirect URI to register in the provider console.

nself oauth providers show google
# Provider:      google
# Status:        enabled
# Client ID:     set (*********************abc123)
# Client Secret: set
# Redirect URI:  https://auth.yourdomain.com/v1/callback
# Scopes:        openid profile email
# Extra env:     GOOGLE_AUTH_WORKSPACE_DOMAIN (not set)

nself oauth enable <provider>

Enable a provider interactively. The CLI prompts for the client ID and secret, validates them, writes the values into the auth service env, and reloads the service.

nself oauth enable github
# ? Client ID: Iv1.abc1234567890abc
# ? Client Secret: ••••••••••••••••••••••••••••••••
# ✓ Credentials saved
# ✓ Auth service reloaded
# ✓ GitHub OAuth is now active

Pass credentials non-interactively in CI:

nself oauth enable github \
  --client-id "$GH_CLIENT_ID" \
  --client-secret "$GH_CLIENT_SECRET"

nself oauth disable <provider>

Disable a provider. The credentials are retained in the auth service env but the provider is removed from the login page.

nself oauth disable twitter
# ✓ Twitter OAuth disabled (credentials retained)

To remove credentials entirely:

nself oauth disable twitter --purge

nself oauth test <provider>

Run a connectivity test against the provider's discovery endpoint or token endpoint. This validates that your credentials are accepted without performing a full browser login flow.

nself oauth test google
# Checking discovery endpoint... ✓
# Validating client credentials... ✓
# google OAuth is operational

Flags

Flag	Type	Default	Description
`--client-id`	string	—	Provider client ID (skips interactive prompt)
`--client-secret`	string	—	Provider client secret (skips interactive prompt)
`--purge`	bool	false	Remove credentials when disabling a provider
`--json`	bool	false	Output as JSON (`providers` and `show`)

Environment variables

Each provider reads a pair of env vars from the auth service environment. The CLI sets these via nself env set internally — you do not need to set them manually.

Provider	Client ID var	Client Secret var
`google`	`GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID`	`GOTRUE_EXTERNAL_GOOGLE_SECRET`
`github`	`GOTRUE_EXTERNAL_GITHUB_CLIENT_ID`	`GOTRUE_EXTERNAL_GITHUB_SECRET`
`apple`	`GOTRUE_EXTERNAL_APPLE_CLIENT_ID`	`GOTRUE_EXTERNAL_APPLE_SECRET`
(all others)	`GOTRUE_EXTERNAL_<PROVIDER>_CLIENT_ID`	`GOTRUE_EXTERNAL_<PROVIDER>_SECRET`

Examples

Enable Google and GitHub in one pass

nself oauth enable google --client-id "$GID" --client-secret "$GSECRET"
nself oauth enable github --client-id "$GH_ID" --client-secret "$GH_SECRET"

Configure a self-hosted GitLab instance

nself oauth enable gitlab \
  --client-id "$GL_ID" \
  --client-secret "$GL_SECRET"

# After enabling, set the custom server URL:
nself env set GOTRUE_EXTERNAL_GITLAB_URL https://gitlab.mycompany.com
nself restart auth

Rotate a client secret

# Re-enable with the new secret — existing sessions are preserved
nself oauth enable google --client-id "$GID" --client-secret "$NEW_SECRET"

nself env — view and set auth service environment variables directly
nself restart — restart individual services after manual env changes
nself auth — manage user accounts and JWT configuration

nself oauth

Configure OAuth providers for the nSelf auth service. Enable social login with any of 13 built-in providers — no code changes required.

Quick start

# See all available providers
nself oauth providers

# Enable Google login
nself oauth enable google

# Verify the connection
nself oauth test google

Synopsis

nself oauth <SUBCOMMAND> [FLAGS]

Description

All 13 providers are shipped in the core auth service. Enabling a provider costs nothing beyond your own credentials from that provider.

Supported providers

Provider	Protocol	Notes
`google`	OIDC	Includes workspace.google.com scopes
`github`	OAuth 2.0	Personal + org account support
`gitlab`	OIDC	Self-hosted GitLab URLs supported
`discord`	OAuth 2.0	Guild membership scope available
`twitter`	OAuth 2.0 (v2)	X / Twitter API v2
`facebook`	OAuth 2.0	Requires business verification for production
`apple`	Sign in with Apple	Requires Apple Developer account
`linkedin`	OAuth 2.0	OpenID Connect via LinkedIn v2
`twitch`	OAuth 2.0	Broadcaster and viewer scopes
`spotify`	OAuth 2.0	PKCE flow enforced
`slack`	OAuth 2.0	Workspace-scoped tokens
`microsoft`	OIDC	Azure AD / Entra ID; tenant configurable
`keycloak`	OIDC	Bring-your-own Keycloak server URL

Subcommands

nself oauth providers

List all available providers and their enabled/disabled status.

nself oauth providers
# PROVIDER     STATUS    REDIRECT URI
# google       enabled   https://auth.yourdomain.com/v1/callback
# github       disabled  —
# apple        disabled  —
# ...

nself oauth providers show <name>

Show the full configuration for a single provider, including which env vars are set and what redirect URI to register in the provider console.

nself oauth providers show google
# Provider:      google
# Status:        enabled
# Client ID:     set (*********************abc123)
# Client Secret: set
# Redirect URI:  https://auth.yourdomain.com/v1/callback
# Scopes:        openid profile email
# Extra env:     GOOGLE_AUTH_WORKSPACE_DOMAIN (not set)

nself oauth enable <provider>

Enable a provider interactively. The CLI prompts for the client ID and secret, validates them, writes the values into the auth service env, and reloads the service.

nself oauth enable github
# ? Client ID: Iv1.abc1234567890abc
# ? Client Secret: ••••••••••••••••••••••••••••••••
# ✓ Credentials saved
# ✓ Auth service reloaded
# ✓ GitHub OAuth is now active

Pass credentials non-interactively in CI:

nself oauth enable github \
  --client-id "$GH_CLIENT_ID" \
  --client-secret "$GH_CLIENT_SECRET"

nself oauth disable <provider>

Disable a provider. The credentials are retained in the auth service env but the provider is removed from the login page.

nself oauth disable twitter
# ✓ Twitter OAuth disabled (credentials retained)

To remove credentials entirely:

nself oauth disable twitter --purge

nself oauth test <provider>

Run a connectivity test against the provider's discovery endpoint or token endpoint. This validates that your credentials are accepted without performing a full browser login flow.

nself oauth test google
# Checking discovery endpoint... ✓
# Validating client credentials... ✓
# google OAuth is operational

Flags

Flag	Type	Default	Description
`--client-id`	string	—	Provider client ID (skips interactive prompt)
`--client-secret`	string	—	Provider client secret (skips interactive prompt)
`--purge`	bool	false	Remove credentials when disabling a provider
`--json`	bool	false	Output as JSON (`providers` and `show`)

Environment variables

Each provider reads a pair of env vars from the auth service environment. The CLI sets these via nself env set internally — you do not need to set them manually.

Provider	Client ID var	Client Secret var
`google`	`GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID`	`GOTRUE_EXTERNAL_GOOGLE_SECRET`
`github`	`GOTRUE_EXTERNAL_GITHUB_CLIENT_ID`	`GOTRUE_EXTERNAL_GITHUB_SECRET`
`apple`	`GOTRUE_EXTERNAL_APPLE_CLIENT_ID`	`GOTRUE_EXTERNAL_APPLE_SECRET`
(all others)	`GOTRUE_EXTERNAL_<PROVIDER>_CLIENT_ID`	`GOTRUE_EXTERNAL_<PROVIDER>_SECRET`

Examples

Enable Google and GitHub in one pass

nself oauth enable google --client-id "$GID" --client-secret "$GSECRET"
nself oauth enable github --client-id "$GH_ID" --client-secret "$GH_SECRET"

Configure a self-hosted GitLab instance

nself oauth enable gitlab \
  --client-id "$GL_ID" \
  --client-secret "$GL_SECRET"

# After enabling, set the custom server URL:
nself env set GOTRUE_EXTERNAL_GITLAB_URL https://gitlab.mycompany.com
nself restart auth

Rotate a client secret

# Re-enable with the new secret — existing sessions are preserved
nself oauth enable google --client-id "$GID" --client-secret "$NEW_SECRET"

nself env — view and set auth service environment variables directly
nself restart — restart individual services after manual env changes
nself auth — manage user accounts and JWT configuration

nself oauth

Quick start

Synopsis

Description

Supported providers

Subcommands

nself oauth providers

nself oauth providers show <name>

nself oauth enable <provider>

nself oauth disable <provider>

nself oauth test <provider>

Flags

Environment variables

Examples

Enable Google and GitHub in one pass

Configure a self-hosted GitLab instance

Rotate a client secret

Related

nself oauth

Quick start

Synopsis

Description

Supported providers

Subcommands

nself oauth providers

nself oauth providers show <name>

nself oauth enable <provider>

nself oauth disable <provider>

nself oauth test <provider>

Flags

Environment variables

Examples

Enable Google and GitHub in one pass

Configure a self-hosted GitLab instance

Rotate a client secret

Related