Skip to content
NuxtBase logo NuxtBase Docs

OAuth

NuxtBase supports Google and GitHub sign-in through Better Auth social providers.

Both providers are wired into the same register and login surfaces:

  • /register
  • /login

Provider Enable Rules

Section titled “Provider Enable Rules”

OAuth providers are enabled only when both values in a provider pair are present:

  • GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET
  • GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET

If you configure only one half of the pair, startup validation fails.

Where OAuth Appears in the Product

Section titled “Where OAuth Appears in the Product”

The shipped UI exposes OAuth buttons in two places:

Register

Section titled “Register”

On /register, the user can choose:

  • Sign up with Google
  • Sign up with GitHub

Login

Section titled “Login”

On /login, the user can choose:

  • Log in with Google
  • Log in with GitHub

This means OAuth is not a hidden enterprise add-on. It is part of the default buyer-facing auth surface.

Redirect Behavior After OAuth

Section titled “Redirect Behavior After OAuth”

The login page sends OAuth users back to the current safe redirect target if one exists. Otherwise, the current implementation falls back to /dashboard.

More specifically:

  • /login OAuth uses the safe redirect target, with /dashboard as the default fallback
  • /register OAuth uses /dashboard as the callback target directly

Unlike the email/password, passkey, and post-2FA flows, OAuth does not currently apply the getPostLoginPath() role-based /admin split after callback. So a platform admin using OAuth without an explicit redirect still lands on /dashboard.

Callback URLs

Section titled “Callback URLs”

Provider callback configuration belongs in setup/authentication-setup, but the practical URLs are:

/api/auth/callback/google
/api/auth/callback/github

Register those against your real app origin in the provider dashboards.

OAuth and Verification Expectations

Section titled “OAuth and Verification Expectations”

OAuth removes the need for password entry, but it does not remove all downstream auth concerns.

You still need to verify:

  • post-login redirect behavior
  • admin vs non-admin routing
  • settings and security screens
  • 2FA behavior for OAuth-only users

That last point matters because NuxtBase includes a separate OAuth-only path for enabling and disabling two-factor auth.

OAuth-Only Users and 2FA

Section titled “OAuth-Only Users and 2FA”

Credential users can use the standard Better Auth 2FA setup flow.

OAuth-only users take a different path:

  • enable 2FA through a dedicated internal route
  • receive a generated TOTP secret and backup codes
  • disable 2FA using a verification code instead of password confirmation

This is a real product distinction in the template, not just a documentation detail.

Section titled “Recommended Verification Checklist”
  1. enable one provider first, not both at once
  2. complete a fresh sign-in with that provider
  3. confirm the user lands in the expected area
  4. open dashboard settings and confirm the security section still works
  5. if the account has no password, test the OAuth-specific 2FA flow