Skip to content
Nhost Documentation
Support Dashboard

Sign in with an OAuth2 provider

GET
/signin/provider/{provider}

Initiate OAuth2 authentication flow with a social provider. Redirects the user to the provider’s authorization page. If the user doesn’t exist and AUTH_DISABLE_AUTO_SIGNUP is not set, a new account will be created upon callback. When AUTH_DISABLE_AUTO_SIGNUP is enabled, users must use the /signup/provider/{provider} endpoint to register first.

Parameters

Section titled “ Parameters ”

Path Parameters

Section titled “Path Parameters ”
provider
required
string
Allowed values: apple github google linkedin discord spotify twitch gitlab bitbucket workos azuread entraid strava facebook windowslive twitter

The name of the social provider

Query Parameters

Section titled “Query Parameters ”
allowedRoles
Array<string>
Example
[
  "me",
  "user"
]

Array of allowed roles for the user

defaultRole
string
Example
user

Default role for the user

displayName
string
<= 32 characters /^[\p{L}\p{N}\p{S} ,.'-]+$/
Example
John Smith

Display name for the user

locale
string
>= 2 characters <= 3 characters
Example
en

A two or three characters locale

metadata
object
key
additional properties
any
Example
{
  "firstName": "John",
  "lastName": "Smith"
}

Additional metadata for the user (JSON encoded string)

redirectTo
string format: uri
Example
https://my-app.com/catch-redirection

URI to redirect to

connect
string

If set, this means that the user is already authenticated and wants to link their account. This needs to be a valid JWT access token.

state
string

Opaque state value to be returned by the provider

providerSpecificParams

Additional provider-specific parameters

object
connection

(workos) Specifies the connection to use for authentication

string
organization

(workos) Specifies the organization to use for authentication

string
codeChallenge
string
>= 43 characters <= 43 characters /^[A-Za-z0-9_-]{43}$/

PKCE code challenge (S256). When provided, the callback redirect will contain an authorization code instead of a refresh token.

Responses

Section titled “ Responses ”

302

Section titled “302 ”

Redirect to social provider

Headers

Section titled “Headers ”
Location
required
string format: uri

URL to redirect to

default

Section titled “default ”

An error occurred while processing the request

Standardized error response

object
status
required

HTTP status error code

integer
Example
400
message
required

Human-friendly error message

string
Example
Invalid email format
error
required

Error code identifying the specific application error

string
Allowed values: default-role-must-be-in-allowed-roles disabled-endpoint disabled-user user-already-exists email-already-verified forbidden-anonymous internal-server-error invalid-email-password invalid-request locale-not-allowed password-too-short password-in-hibp-database redirectTo-not-allowed role-not-allowed signup-disabled unverified-user user-not-anonymous invalid-pat invalid-refresh-token invalid-ticket disabled-mfa-totp no-totp-secret invalid-totp mfa-type-not-found totp-already-active invalid-state oauth-token-echange-failed oauth-profile-fetch-failed oauth-provider-error invalid-otp cannot-send-sms provider-account-already-linked