OAuth providers let users log in to the panel using an external identity service — such as GitHub, Google, or Discord — without managing a separate password. Calagopus supports any OAuth2-compliant provider through a generic configuration interface. Navigate to Admin → OAuth Providers to manage providers.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/calagopus/panel/llms.txt
Use this file to discover all available pages before exploring further.
How OAuth login works
When a user clicks a provider’s login button, they are redirected to the provider’s authorization page. After granting access, the provider sends an authorization code to the panel’s callback URL. The panel exchanges this code for user information and either logs in an existing linked account or creates a new one. Each provider is configured with the endpoints needed for a standard OAuth2 Authorization Code flow:- Auth URL — where the user is sent to authorize access
- Token URL — where the panel exchanges the code for an access token
- Info URL — where the panel fetches user profile data using the token
Adding an OAuth provider
Fill in identity and endpoint fields
| Field | Description |
|---|---|
| Name | Display name shown on the login button (for example, GitHub). Must be unique. |
| Description | Optional internal note. |
| Client ID | The client identifier issued by the provider. |
| Client Secret | The client secret issued by the provider. |
| Auth URL | The provider’s authorization endpoint URL. |
| Token URL | The provider’s token exchange endpoint URL. |
| Info URL | The endpoint to fetch the authenticated user’s profile. |
| Scopes | Space-separated OAuth2 scopes to request. Include email and profile (or provider equivalents) to populate user data automatically. |
Configure the callback URL
After creating the provider, the callback URL is shown in the provider’s detail view:Register this URL as the authorized redirect URI in your provider’s developer console.
Configure JSON path mappings
The panel extracts user fields from the Info URL response using JSON paths (compatible with serde_json_path).
| Field | Required | Description |
|---|---|---|
| Identifier Path | Yes | A path that uniquely identifies the user in the provider, for example $.id or $.sub. |
| Email Path | No | Path to the user’s email address. |
| Username Path | No | Path to the username. |
| First Name Path | No | Path to the first name. |
| Last Name Path | No | Path to the last name. |
Set behavior options
| Option | Default | Description |
|---|---|---|
| Enabled | On | Whether the provider is available on the login page. |
| Only allow login | Off | Prevents new account creation via this provider; only existing linked accounts can use it. |
| Bypass 2FA on login | Off | Users who log in with this provider skip the 2FA checkpoint. Enable only for trusted corporate SSO. |
| Link viewable to user | On | Users can see their linked provider connection in their account settings. |
| Link manageable by user | On | Users can connect or disconnect this provider themselves. |
| Basic auth | Off | Sends client credentials using HTTP Basic Authentication instead of as form parameters. Uncommon; only enable if the provider requires it. |
Editing a provider
Click a provider’s row in Admin → OAuth Providers to open its detail page. All fields are editable. The Client Secret field accepts a new value only when you enter text; leaving it blank keeps the existing secret. You can export a provider’s configuration (without credentials) as JSON or YAML using the Export button. This is useful for sharing a base configuration or backing up endpoint settings.Removing a provider
To delete a provider:- Open the provider in Admin → OAuth Providers.
- Click Delete and confirm.
How users connect OAuth accounts
When Link manageable by user is on, users can connect a provider from their account settings:- Go to Account → Connections.
- Click Connect next to the provider.
- Complete the authorization flow in the popup.