Authentication
OAuth Authentication
Social login with 29 OAuth providers — Google, GitHub, Microsoft, Discord, and more.
OAuth Authentication
FastCMS supports OAuth authentication with 29 providers, allowing users to sign in with their existing accounts.
Supported Providers
| Provider | Type |
|---|---|
google | |
| GitHub | github |
| Microsoft | microsoft |
| Apple | apple |
| Discord | discord |
facebook | |
| GitLab | gitlab |
| Twitter/X | twitter |
| Spotify | spotify |
| Twitch | twitch |
| Notion | notion |
| Linear | linear |
| OpenID Connect | oidc |
| + 16 more | — |
Configuration
Method 1: Admin UI (Recommended)
- Navigate to Admin > Settings > OAuth Providers
- Click "Add Provider"
- Select the provider type
- Enter Client ID and Client Secret
- Toggle "Enabled" and save
Method 2: Environment Variables
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secretMethod 3: API
POST /api/v1/oauth/providers
Authorization: Bearer ADMIN_TOKEN
{
"provider_type": "google",
"name": "Google",
"client_id": "your-client-id.apps.googleusercontent.com",
"client_secret": "your-client-secret",
"enabled": true
}Setting Up Providers
Google OAuth
- Go to Google Cloud Console
- Create a project → APIs & Services → Credentials
- Create OAuth 2.0 Client ID (Web application)
- Add redirect URI:
http://localhost:8000/api/v1/oauth/google/callback - Add credentials via Admin UI
GitHub OAuth
- Go to GitHub Developer Settings
- Click New OAuth App
- Set callback URL:
http://localhost:8000/api/v1/oauth/github/callback - Add credentials via Admin UI
OpenID Connect (Generic)
{
"provider_type": "oidc",
"name": "My OIDC Provider",
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"extra_config": {
"discovery_url": "https://your-provider.com/.well-known/openid-configuration"
}
}OAuth Flow
1. Initiate OAuth Login
Redirect users to:
GET /api/v1/oauth/{provider}/login2. Callback
After authorization, FastCMS automatically:
- Exchanges the code for an access token
- Fetches the user's profile
- Creates or updates the user account
- Returns JWT tokens
Response:
{
"access_token": "eyJhbGc...",
"refresh_token": "eyJhbGc...",
"token_type": "bearer",
"user": {
"id": "user-uuid",
"email": "user@gmail.com",
"name": "John Doe",
"verified": true,
"oauth_provider": "google"
}
}Frontend Integration
<a href="http://localhost:8000/api/v1/oauth/google/login">
Sign in with Google
</a>
<a href="http://localhost:8000/api/v1/oauth/github/login">
Sign in with GitHub
</a>Dynamic provider buttons:
const providers = await fetch('/api/v1/oauth/providers/enabled').then(r => r.json());
providers.forEach(provider => {
const button = document.createElement('a');
button.href = `/api/v1/oauth/${provider.type}/login`;
button.textContent = `Sign in with ${provider.name}`;
loginContainer.appendChild(button);
});OAuth with Auth Collections
GET /api/v1/oauth/{provider}/login?collection=customersOAuth Behavior Settings
| Setting | Default | Description |
|---|---|---|
oauth_enabled | true | Enable OAuth authentication |
oauth_auto_create_user | true | Auto-create user on first OAuth login |
oauth_link_by_email | true | Link OAuth to existing user by email |
Security Notes
- HTTPS in Production — always use HTTPS URLs for OAuth redirects
- State Parameter — FastCMS includes CSRF protection via state parameter
- Redirect URI Validation — ensure redirect URIs match exactly in provider settings
Troubleshooting
| Error | Solution |
|---|---|
| Redirect URI mismatch | Ensure the redirect URI exactly matches what's in provider settings |
| Access denied | User denied permission — check scopes requested |
| Invalid client | Verify Client ID and Client Secret |
| Provider not found | Check /api/v1/oauth/providers/enabled for active providers |