Custom OAuth credentials are only available in the Production environment, so your app must be published first. Open each provider’s edit panel from the Users & Auth tool: Configure tab, SSO providers section, select the Production environment, then select Edit next to the provider. For the overall flow, see Configuring OAuth credentials for an SSO provider.
Step 1: Create a Google OAuth app
Navigate to the Google Cloud Console:Create or select a project
- Select an existing project or create a new one from the project dropdown
- You’ll be redirected to your project’s Dashboard
Configure OAuth consent screen
- In the left sidebar, select the menu icon (≡) and select APIs & Services
- Select OAuth consent screen
- Configure your app’s consent screen with required information
- Save your changes
Create OAuth credentials
- From APIs & Services, select Credentials
- Select Create Credentials at the top, then select OAuth client ID
- Choose Web application as the application type
- Set Authorized JavaScript origins and Authorized redirect URIs to the exact values shown under Provider setup in the Auth pane. Add every value listed — your published domain and any custom domain are both included. See Configuring OAuth credentials for an SSO provider for how to find them.
- Select Create
- Save your Client ID and Client Secret
Troubleshooting
Redirect URI mismatch
- Verify the redirect URI in Google Cloud Console exactly matches the value shown under Provider setup in the Auth pane
- Ensure there are no trailing slashes or typos
- Wait a few minutes for Google’s configuration to propagate
Invalid client
- Double-check Client ID and Client Secret are copied correctly
- Ensure there are no extra spaces
- Verify OAuth consent screen is configured
Not working on custom domain
- Add the custom-domain entries shown under Provider setup in the Auth pane to both Authorized JavaScript origins and Authorized redirect URIs
GitHub
This guide walks you through creating a GitHub OAuth app in GitHub Developer Settings. You’ll collect a Client ID and Client Secret to plug into the Auth pane. You need: A GitHub account.Step 1: Create a GitHub OAuth app
- Navigate to GitHub Developer Settings
- Select OAuth Apps in sidebar
- Select New OAuth App
- Fill in the application details:
- Select Register application
Step 2: Generate client credentials
- You’ll see your Client ID on the app’s settings page - copy it
- Select Generate a new client secret
- Copy your Client Secret immediately
Troubleshooting
Redirect URI mismatch
- Verify the Authorization callback URL exactly matches the value shown under Provider setup in the Auth pane
- Check for typos or incorrect protocols
- No trailing slashes
Invalid client
- Double-check Client ID and Client Secret are copied correctly
- Ensure no extra spaces when pasting
Not working on custom domain
- Update the Homepage URL and Authorization callback URL to the custom-domain values shown under Provider setup in the Auth pane
Apple
This guide walks you through creating the Apple App ID, Services ID, and Private Key required for Sign in with Apple. You’ll collect a Team ID, Services ID, Key ID, and Private Key to plug into the Auth pane. You need: An Apple Developer account (requires enrollment in the Apple Developer Program).Step 1: Create an Apple App ID
- Navigate to the Apple Developer portal
- Go to Certificates, IDs & Profiles then Identifiers
- Select App IDs from the dropdown
- Select the + icon to register a new identifier
- Select App IDs, then Continue
- Choose App, then Continue
- Fill in:
- Description: Name for your App ID
- Bundle ID: Your unique identifier
- Enable Sign In with Apple under Capabilities
- Select Continue, then Register
- Save your App ID Prefix (shown at top) - this is your Team ID
Step 2: Create an Apple Services ID
- On the Identifiers page, select Services IDs from the dropdown
- Select + to register a new identifier
- Select Services IDs, then Continue
- Fill in:
- Description: Name for your Services ID
- Identifier: Your unique identifier (save this - it’s your Services ID)
- Select Continue, then Register
Configure the Services ID
- Select your newly created Services ID
- Enable Sign In with Apple
- Select Configure
-
Set:
- Primary App ID: Select your App ID from Step 1
- Domains and Subdomains: Copy the value shown under Provider setup in the Auth pane (without the
https://protocol prefix) - Return URLs: Copy the value shown under Provider setup in the Auth pane
- Select Next, then Done, then Continue, then Save
Step 3: Create an Apple Private Key
- In the Apple Developer portal sidebar, select Keys
- Select + to register a new key
- Enter a Key Name
- Enable Sign In with Apple
- Select Configure, then select your App ID from Step 1
- Select Save, then Continue, then Register
- Save the Key ID
- Download the private key file (.p8)
Step 4: Configure Apple Private Email Relay
Apple’s Hide My Email feature lets users sign in without revealing their real email. To send emails to these users, register your email source.- In the Apple Developer portal sidebar, select Services
- Under Sign in with Apple for Email Communication, select Configure
- Select + to add an Email Source
- Enter the Email Source value shown under Provider setup in the Auth pane
- Select Next, then Register, then Done
- Wait for DNS verification (green check icon)
In some regions (China, India), Apple IDs may be tied to phone numbers instead of email. If your app requires email for all users, Sign in with Apple may fail for users in these regions.
Troubleshooting
Invalid client
- Verify all credentials are entered correctly
- Ensure the Private Key includes the BEGIN and END lines
- Check that your Services ID is properly configured
Invalid redirect URI
- Verify the Return URL in the Apple Services ID configuration exactly matches the value shown under Provider setup in the Auth pane
- Check the domain in Domains and Subdomains matches your published domain (without
https://)
Email relay not working
- Verify the Email Source shows a green check in the Apple Developer portal
- Wait for DNS propagation if recently added
Not working on custom domain
- Add the custom-domain entries shown under Provider setup in the Auth pane to Domains and Subdomains (without
https://) and to Return URLs
Additional resources
X (Twitter)
This guide walks you through creating an X OAuth app in the X Developer Portal. You’ll collect a Client ID and Client Secret to plug into the Auth pane. You need: An X Developer account (free tier available).Step 1: Set up X Developer app
Create a developer account (if needed)
- Navigate to X Developer Portal
- Apply for a developer account if you don’t have one
- Complete the application describing your use case
Create or select an app
- In the X Developer Portal, go to Projects & Apps
- Use an existing app or select Add App
- Enter an app name and select Next
- Select App settings
Step 2: Configure authentication
- Scroll to User authentication settings
- Select Set up
- Read - Required for user profile (minimum)
- Write - For posting on behalf of users (optional)
- Direct Messages - For DM access (optional)
- Callback URI / Redirect URL: Copy the value shown under Provider setup in the Auth pane
- Website URL: Copy the value shown under Provider setup in the Auth pane
- Select Save
- Save your Client ID and Client Secret
Troubleshooting
Redirect URI mismatch
- Verify the Callback URI exactly matches the value shown under Provider setup in the Auth pane
- Check for typos or incorrect protocols
- No trailing slashes
Invalid client
- Double-check Client ID and Client Secret
- Ensure no extra spaces
- Verify you are using OAuth 2.0 credentials (not OAuth 1.0a)
Scope/permission errors
- Verify scopes match permissions enabled in X Developer Portal
- Ensure Read permission is enabled at minimum
App in development mode
- X apps start in development mode with limited users
- You may need to apply for elevated access for production use
Not working on custom domain
- Update the Website URL and Callback URI to the custom-domain values shown under Provider setup in the Auth pane