Authentication
OAuth Authentication
Social login with 29 OAuth providers — Google, GitHub, Microsoft, Discord, and more.
OAuth Authentication
FastCMS supports OAuth authentication with 29 providers, allowing users to sign in with their existing accounts.
Supported Providers
All 29 providers are organized into three categories. Most require only a client_id and client_secret; the few exceptions are noted in the Extra fields column.
Social & Tech Platforms (14)
| Provider | Type | Extra fields |
|---|---|---|
| Apple | apple | team_id, key_id (optional private_key) |
| Discord | discord | — |
facebook | — | |
| GitHub | github | — |
| GitLab | gitlab | — |
google | — | |
instagram | — | |
| Kakao | kakao | — |
| Spotify | spotify | — |
| Strava | strava | — |
| Twitch | twitch | — |
| Twitter / X | twitter | — |
| Yandex | yandex | — |
| VK | vk | — |
Development & Productivity (11)
| Provider | Type | Extra fields |
|---|---|---|
| Bitbucket | bitbucket | — |
| Box | box | — |
| Gitea | gitea | custom_url (your self-hosted Gitea URL) |
| Gitee | gitee | — |
| Linear | linear | — |
| LiveChat | livechat | — |
| Monday.com | monday | — |
| Notion | notion | — |
| Patreon | patreon | — |
| Planning Center | planningcenter | — |
| WakaTime | wakatime | — |
Enterprise & Self-Hosted (4)
| Provider | Type | Extra fields |
|---|---|---|
| Mailcow | mailcow | custom_url (your Mailcow instance URL) |
| OpenID Connect (generic) | oidc | discovery_url (your provider's .well-known/openid-configuration) |
| Lark / Feishu | lark | — |
| Microsoft | microsoft | — |
Tip: the canonical list lives in
app/db/models/oauth_provider.py(PROVIDER_METADATA) — it includes auth URLs, token URLs, and default scopes for each provider. New providers only need to be added to that file plus a handler inapp/services/oauth_service.py.
Configuration
Method 1: Admin UI (Recommended)
- Navigate to Admin > Settings > OAuth Providers
- Click "Add Provider"
- Select the provider type
- Enter Client ID and Client Secret
- Toggle "Enabled" and save
Method 2: Environment Variables
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secretMethod 3: API
POST /api/v1/oauth/providers
Authorization: Bearer ADMIN_TOKEN
{
"provider_type": "google",
"name": "Google",
"client_id": "your-client-id.apps.googleusercontent.com",
"client_secret": "your-client-secret",
"enabled": true
}Setting Up Providers
Google OAuth
- Go to Google Cloud Console
- Create a project → APIs & Services → Credentials
- Create OAuth 2.0 Client ID (Web application)
- Add redirect URI:
http://localhost:8000/api/v1/oauth/google/callback - Add credentials via Admin UI
GitHub OAuth
- Go to GitHub Developer Settings
- Click New OAuth App
- Set callback URL:
http://localhost:8000/api/v1/oauth/github/callback - Add credentials via Admin UI
OpenID Connect (Generic)
{
"provider_type": "oidc",
"name": "My OIDC Provider",
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"extra_config": {
"discovery_url": "https://your-provider.com/.well-known/openid-configuration"
}
}OAuth Flow
1. Initiate OAuth Login
Redirect users to:
GET /api/v1/oauth/{provider}/login2. Callback
After authorization, FastCMS automatically:
- Exchanges the code for an access token
- Fetches the user's profile
- Creates or updates the user account
- Returns JWT tokens
Response:
{
"access_token": "eyJhbGc...",
"refresh_token": "eyJhbGc...",
"token_type": "bearer",
"user": {
"id": "user-uuid",
"email": "user@gmail.com",
"name": "John Doe",
"verified": true,
"oauth_provider": "google"
}
}Frontend Integration
<a href="http://localhost:8000/api/v1/oauth/google/login">
Sign in with Google
</a>
<a href="http://localhost:8000/api/v1/oauth/github/login">
Sign in with GitHub
</a>Dynamic provider buttons:
const providers = await fetch('/api/v1/oauth/providers/enabled').then(r => r.json());
providers.forEach(provider => {
const button = document.createElement('a');
button.href = `/api/v1/oauth/${provider.type}/login`;
button.textContent = `Sign in with ${provider.name}`;
loginContainer.appendChild(button);
});OAuth with Auth Collections
GET /api/v1/oauth/{provider}/login?collection=customersOAuth Behavior Settings
| Setting | Default | Description |
|---|---|---|
oauth_enabled | true | Enable OAuth authentication |
oauth_auto_create_user | true | Auto-create user on first OAuth login |
oauth_link_by_email | true | Link OAuth to existing user by email |
Security Notes
- HTTPS in Production — always use HTTPS URLs for OAuth redirects
- State Parameter — FastCMS includes CSRF protection via state parameter
- Redirect URI Validation — ensure redirect URIs match exactly in provider settings
Troubleshooting
| Error | Solution |
|---|---|
| Redirect URI mismatch | Ensure the redirect URI exactly matches what's in provider settings |
| Access denied | User denied permission — check scopes requested |
| Invalid client | Verify Client ID and Client Secret |
| Provider not found | Check /api/v1/oauth/providers/enabled for active providers |