Authentication

Enable Google + GitHub sign-in

Axiom uses NextAuth. Google and GitHub providers are wired in code but only register when their environment credentials are present on the host. Set the env vars below and the buttons on the sign-in page activate automatically.

Three things to configure for each provider

Overview

  1. Create an OAuth application with the provider (Google Cloud Console / GitHub OAuth Apps).
  2. Register the callback URL pointing at your Axiom host.
  3. Set the resulting Client ID + Client Secret on your host as environment variables.

Info

The sign-in page polls /api/auth/providers on load and disables the button + shows a Not set badge for any provider whose env vars are missing — no silent failures.

Required for every deployment regardless of provider

1. Base NextAuth env

bash# Required for every deployment
NEXTAUTH_URL=https://your-domain.example.com
NEXTAUTH_SECRET=<openssl rand -base64 32>

NEXTAUTH_URL must exactly match the public origin (no trailing slash). On Vercel set it under Project → Settings → Environment Variables for Production + Preview environments.

2. Google sign-in

1

Create an OAuth client

Open the Google Cloud Console → APIs & Services → Credentials. Click Create Credentials → OAuth client ID → Web application.

2

Add the authorized redirect URI

Under Authorized redirect URIs, add:

texthttps://your-domain.example.com/api/auth/callback/google

For local development add http://localhost:3000/api/auth/callback/google as well.

3

Copy the credentials

Google shows a Client ID + Client Secret. Treat the secret as you would an API key.

4

Set env on the host

bashGOOGLE_CLIENT_ID=1234567890-abc.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-xxxxxxxxxxxxxxxxx

Heads up

Google's OAuth consent screen needs at least one scope (openid email profile is the NextAuth default). For external apps you'll need to publish the consent screen to leave test mode and accept non-test users.

3. GitHub sign-in

1

Create an OAuth app

Open GitHub → Settings → Developer settings → OAuth Apps and click New OAuth App.

2

Set the callback URL

Homepage URL: https://your-domain.example.com

Authorization callback URL:

texthttps://your-domain.example.com/api/auth/callback/github
3

Generate a client secret

After saving, click Generate a new client secret. GitHub shows the secret once — copy it immediately.

4

Set env on the host

bashGITHUB_CLIENT_ID=Iv1.xxxxxxxxxxxxxxxx
GITHUB_CLIENT_SECRET=ghp_xxxxxxxxxxxxxxxxxxxxxxxx

Info

For an organization-restricted app, create the OAuth app under the org's settings and enable the SSO requirement so only org members can sign in.

4. Verify it works

  1. Redeploy after setting the env vars (env changes don't auto-rebuild on most hosts).
  2. Open the sign-in page in an incognito window.
  3. Both buttons should activate (no Not set badge).
  4. Click → OAuth consent → you land in /dashboard.

Heads up

If you see error=Configuration after the OAuth round-trip, the env var is set but doesn't match what the provider was registered with. Double-check the callback URL.

Troubleshooting

Button shows Not set

Env vars not present on the host. Re-check Vercel → Settings → Environment Variables. Remember to redeploy.

Redirect URI mismatch

The exact callback URL registered with the provider must match the one NextAuth requests. For Vercel previews, you'll either need a wildcard preview domain on Google (not supported — use a single preview URL) or limit OAuth to production.

Works locally but not in production

NEXTAUTH_URL not set or doesn't match the production origin. NextAuth uses this to construct callback URLs.

Need a human?

Most flows are documented — but we'll help if anything is unclear.

Talk to Vision XIX Labs

Need help? Open a security review request.