Docs / OAuth Setup
GitHub Home

OAuth Setup

ClawPipe supports Google and GitHub sign-in on the dashboard. Both are optional: if no provider credentials are configured, the dashboard gracefully hides the buttons and falls back to email + password. This runbook shows how to enable each provider.

How discovery works

The dashboard calls GET /auth/providers on load. The gateway returns which providers have credentials configured, and the dashboard only renders the buttons for available providers. No code changes required on the frontend.

// Response when only GitHub is configured
{ "google": false, "github": true }

Google OAuth

  1. Open the Google Cloud Console Credentials page for your project. Create one if needed.
  2. Click Create Credentials → OAuth client ID.
  3. Application type: Web application.
  4. Authorized JavaScript origins: https://app.clawpipe.ai (and any staging hosts).
  5. Authorized redirect URIs: https://api.clawpipe.ai/auth/google/callback.
  6. Save. Copy the client ID and client secret.

Set the secrets on the gateway Worker:

# From the gateway/ directory
wrangler secret put GOOGLE_CLIENT_ID
wrangler secret put GOOGLE_CLIENT_SECRET

Redeploy the Worker so the new bindings take effect:

wrangler deploy

GitHub OAuth

  1. Open GitHub Developer settings → OAuth Apps.
  2. Click New OAuth App.
  3. Application name: ClawPipe.
  4. Homepage URL: https://clawpipe.ai.
  5. Authorization callback URL: https://api.clawpipe.ai/auth/github/callback.
  6. Save. On the app page, copy the client ID and generate a new client secret.

Set the secrets on the gateway:

wrangler secret put GITHUB_CLIENT_ID
wrangler secret put GITHUB_CLIENT_SECRET
wrangler deploy

Verify it works

Confirm the discovery endpoint reports the providers:

curl https://api.clawpipe.ai/auth/providers

Open app.clawpipe.ai in an incognito window and confirm the sign-in buttons appear. The complete round-trip is:

  1. User clicks Continue with Google.
  2. Browser hits GET /auth/google and is redirected to Google's consent screen.
  3. Google redirects back to /auth/google/callback with an auth code.
  4. Gateway exchanges the code, creates or links the user in D1, and sets a session cookie.
  5. Dashboard loads with the user signed in.

Security notes

  • Least privilege. Both providers issue tokens scoped only to profile and email. ClawPipe never requests repo or drive scopes.
  • Rotation. Rotating a client secret is a single wrangler secret put plus redeploy — no downtime if you rotate during low traffic.
  • Audit. OAuth link events are written to the oauth_accounts table in D1. Existing sessions are unaffected when a secret rotates.
  • Removal. To fully disable a provider, delete both secrets and redeploy. The dashboard auto-hides the button on the next load.

Troubleshooting

  • Buttons do not appear. Check curl https://api.clawpipe.ai/auth/providers — both fields must return true. If false, the secrets are missing or the Worker has not been redeployed since they were set.
  • Redirect URI mismatch. The callback URL in the provider console must exactly match https://api.clawpipe.ai/auth/{provider}/callback, including protocol.
  • Sign-in loops back to login. Session cookies require the api.clawpipe.ai and app.clawpipe.ai hosts to share a cookie domain. Confirm the Worker sets Domain=.clawpipe.ai on the session cookie.