MonoRelay supports OAuth single sign-on via GitHub, Google, or PrismaAuth for dashboard login. When SSO is enabled, users click “Login with GitHub” or “Login with Google”, complete the OAuth flow on the provider’s website, and are redirected back to MonoRelay with a local JWT token — the same kind used by local accounts.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Excurs1ons/MonoRelay/llms.txt
Use this file to discover all available pages before exploring further.
How SSO login works
When a user initiates an SSO login, MonoRelay redirects them to the OAuth provider’s authorization page. After they grant access, the provider sends an authorization code back to MonoRelay’s callback endpoint (/api/auth/sso/callback). MonoRelay exchanges this code for the user’s profile, finds or creates a matching local account, and issues a JWT token. From that point on, the user authenticates with their JWT exactly like any other user.
SSO users receive a standard MonoRelay JWT after login. They use it identically to local account tokens — pass it as
Authorization: Bearer <token> on every API request.Setup
Create an OAuth app with your provider
Register a new OAuth application with GitHub or Google and set the callback URL to:GitHub: Go to github.com/settings/developers → “OAuth Apps” → “New OAuth App”. Set the “Authorization callback URL” to the value above.Google: Go to the Google Cloud Console → “APIs & Services” → “Credentials” → “Create credentials” → “OAuth client ID”. Add the callback URL to the list of authorized redirect URIs.After creating the app, copy the client ID and client secret — you will need them in the next step.
Add SSO configuration to config.yml
Add an Google:MonoRelay picks up configuration changes without a restart when hot-reload is active.
sso section to your config.yml. The example below shows GitHub; for Google, replace the github_* fields with google_* fields.GitHub:Optionally promote SSO users to admin
Add usernames to Users already in the database will be promoted to admin on their next SSO login if their username appears in this list.
admin_usernames to automatically grant the admin role to those users when they first log in via SSO. The username is the login name from the OAuth provider (for example, your GitHub username).Configuration reference
| Field | Type | Description |
|---|---|---|
enabled | boolean | Enable or disable SSO. |
provider | string | OAuth provider: github, google, or prismaauth. |
github_client_id | string | Client ID from your GitHub OAuth app. |
github_client_secret | string | Client secret from your GitHub OAuth app. |
google_client_id | string | Client ID from your Google OAuth app. |
google_client_secret | string | Client secret from your Google OAuth app. |
admin_usernames | list | SSO usernames that receive admin role on first login. |
sso_only | boolean | When true, disables local username and password login. |
Check SSO status
You can check whether SSO is enabled and correctly configured without authenticating by calling the status endpoint.| Field | Description |
|---|---|
enabled | Whether SSO is turned on in config. |
provider | The active OAuth provider. |
configured | Whether the provider credentials are present and non-empty. |
sso_only | Whether local password login is disabled. |