List OAuth Login Providers
Get the list of currently active OAuth login providers — admin-managed. Frontend uses this to render dynamic Sign-in-with buttons.
GET /api/v1/auth/oauth/providers — 🌐 Public · Rate limit: 60 req / hour
🛠️ Admin-managed: this list is sourced from the OAuthProvider table — providers can be enabled/disabled by admin without redeploy. Never hardcode ['google', 'x', 'apple'] in the frontend; always read from this endpoint and render only what comes back.
Returns the list of OAuth platforms currently enabled for login (subset of all 15 platforms; the rest are verify-only for social account linking). Each entry has the public client ID needed to bootstrap the provider's frontend SDK.
Request
No headers, no body, no params.
Response
200 OK — ApiResponseOf<OAuthProvidersResponseDto>
{
"success": true,
"data": {
"providers": [
{
"platform": "google",
"clientId": "123456789-abc.apps.googleusercontent.com",
"redirectUri": "https://bio.re/auth/callback/google"
},
{
"platform": "apple",
"clientId": "com.bio.re.signin",
"redirectUri": "https://bio.re/auth/callback/apple"
},
{
"platform": "x",
"clientId": "abcdef123456",
"redirectUri": "https://bio.re/auth/callback/x"
}
]
}
}OAuthProviderDto fields
| Field | Type | Notes |
|---|---|---|
platform | 'google' | 'apple' | 'x' | OAuth login provider key — passes back into POST /auth/oauth/login provider field |
clientId | string | Public client ID for the provider's frontend SDK |
redirectUri | string | null | Configured redirect URI; null if not set in admin |
Errors
| HTTP | code / i18nKey | Reason |
|---|---|---|
429 | (throttle) | Rate limit exceeded (60 req/hour) |
Side effects
- Read all
OAuthProviderrows whereenabled = trueANDloginEnabled = true. - Project to
{ platform, clientId, redirectUri }(never expose secrets). - Cached in-memory by
OAuthVerifierServicefor ~5 minutes (admin updates invalidate the cache via internal pub/sub). - No mutations.
Code samples
curl https://api.bio.re/api/v1/auth/oauth/providerstype OAuthProvider = {
platform: 'google' | 'apple' | 'x';
clientId: string;
redirectUri: string | null;
};
async function getOAuthProviders(): Promise<OAuthProvider[]> {
const res = await fetch('https://api.bio.re/api/v1/auth/oauth/providers');
const json = await res.json();
if (!res.ok || !json.success) {
throw Object.assign(new Error(json?.error?.message ?? 'Failed'), {
code: json?.error?.code,
});
}
return json.data.providers;
}import { useQuery } from '@tanstack/react-query';
export const oauthKeys = {
providers: ['auth', 'oauth', 'providers'] as const,
};
export function useOAuthProviders() {
return useQuery({
queryKey: oauthKeys.providers,
queryFn: async () => {
const res = await fetch('/api/v1/auth/oauth/providers');
const json = await res.json();
if (!res.ok || !json.success) {
throw Object.assign(new Error(json?.error?.message ?? 'Failed'), {
code: json?.error?.code,
});
}
return json.data.providers as OAuthProvider[];
},
staleTime: 5 * 60 * 1000, // mirrors backend cache
});
}Render dynamically:
const { data: providers = [] } = useOAuthProviders();
return (
<>
{providers.map((p) => (
<SignInWithButton key={p.platform} platform={p.platform} clientId={p.clientId} />
))}
</>
);Never <SignInWithGoogle /> <SignInWithApple /> <SignInWithX /> hardcoded — admin can disable a provider at any time.
Try it
Response Body
application/json
application/json
curl -X GET "https://loading/api/v1/auth/oauth/providers"{
"success": true,
"data": {
"providers": [
{
"platform": "google",
"clientId": "123456789-abc.apps.googleusercontent.com",
"redirectUri": "https://bio.re/auth/callback/google"
}
]
}
}{
"success": false,
"error": {
"code": "AUTH_UNAUTHORIZED",
"message": "Invalid credentials",
"i18nKey": "auth.login.invalid_credentials",
"i18nVars": {
"field": "email"
},
"details": [
{
"message": "email must be an email"
}
],
"correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
}Source
| Source | Path | Lines |
|---|---|---|
| Controller | apps/api-core/src/modules/auth/oauth.controller.ts | 114–123 (providers) |
| DTO (response) | apps/api-core/src/modules/auth/dto/response.dto.ts | 138–152 (OAuthProviderDto, OAuthProvidersResponseDto) |
| Service | apps/api-core/src/modules/auth/oauth-verifier.service.ts | getPublicClientIds() |
| Prisma model | packages/prisma/prisma/schema.prisma | OAuthProvider (15 platforms — loginEnabled filters to login subset) |
Login or Register via OAuth
One-step login OR auto-register via Google, Apple, or X (Twitter). No captcha (provider handles bot protection). Server-side token verification.
Link OAuth Provider
Attach an OAuth provider (Google / Apple / X) to the currently authenticated account. Lets users add Sign-in-with after registering with email.