BYOO OAuth Credentials

Bring Your Own OAuth credentials for custom OAuth providers

Updated Dec 29, 2025 Edit this page

BYOO OAuth Credentials

Configure custom OAuth credentials for GitHub, Google, and Microsoft authentication.

Overview

BYOO (Bring Your Own OAuth) allows organizations to use their own OAuth application credentials instead of the platform defaults.

Benefits:

  • Custom branding on OAuth consent screens
  • Control over OAuth scopes
  • App-specific analytics
  • Organization-specific callback URLs

Endpoints

Method Path Description
POST /api/organizations/:slug/oauth-credentials/:provider Set credentials
GET /api/organizations/:slug/oauth-credentials/:provider Get credentials

POST /api/organizations/:slug/oauth-credentials/:provider

Set OAuth credentials for a provider.

Synopsis

Property Value
Authentication Required (JWT)
Authorization Owner or Admin

Path Parameters

Parameter Type Description
slug string Organization slug
provider string github, google, or microsoft

Request Body

Field Type Required Description
client_id string Yes OAuth client ID
client_secret string Yes OAuth client secret

Example Request

curl -X POST https://sso.example.com/api/organizations/acme-corp/oauth-credentials/github \
  -H "Authorization: Bearer {jwt}" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "Iv1.abc123def456",
    "client_secret": "secret_xyz789"
  }'

Response (200 OK)

{
  "provider": "github",
  "client_id": "Iv1.abc123def456",
  "configured": true,
  "configured_at": "2025-01-15T10:30:00Z"
}

[!NOTE] Client secret is never returned in responses.

GET /api/organizations/:slug/oauth-credentials/:provider

Get OAuth configuration status for a provider.

Synopsis

Property Value
Authentication Required (JWT)
Authorization Organization Member

Example Request

curl -X GET https://sso.example.com/api/organizations/acme-corp/oauth-credentials/github \
  -H "Authorization: Bearer {jwt}"

Response - Configured (200 OK)

{
  "provider": "github",
  "client_id": "Iv1.abc123def456",
  "configured": true,
  "configured_at": "2025-01-15T10:30:00Z"
}

Response - Not Configured (200 OK)

{
  "provider": "github",
  "configured": false
}

Provider Setup Guides

GitHub

  1. Go to GitHub Developer Settings
  2. Click “New OAuth App”
  3. Set Authorization callback URL to: 
    https://sso.example.com/auth/github/callback
  4. Copy Client ID and generate Client Secret

Google

  1. Go to Google Cloud Console
  2. Create or select a project
  3. Enable OAuth consent screen
  4. Create OAuth 2.0 credentials
  5. Add authorized redirect URI: 
    https://sso.example.com/auth/google/callback

Microsoft

  1. Go to Azure Portal App Registrations
  2. Register new application
  3. Add redirect URI: 
    https://sso.example.com/auth/microsoft/callback
  4. Create client secret

Fallback Behavior

Scenario Behavior
BYOO configured Uses organization credentials
BYOO not configured Falls back to platform credentials
Platform credentials missing OAuth provider unavailable