OAuth callback

Complete the OAuth authentication flow by exchanging the authorization code received from the provider for a user session. On success, sets accessToken and refreshToken as HTTP-only cookies and returns the authenticated user and tokens in the response body.

This endpoint uses PKCE (Proof Key for Code Exchange). The backend calls exchangeCodeForSession with the authorization code, which Supabase validates against the stored code verifier. Each code can only be used once.

Request

POST /api/v1/auth/oauth/:provider/callback No authentication required.

Path parameters

provider

string

required

The OAuth provider the code was issued by. Accepted values: google, apple.

Body

code

string

required

The authorization code returned by the OAuth provider in the redirect URL query parameter code. Extract this from the callback URL on your frontend before sending it here.

Response

On success, the response sets two HTTP-only cookies:

accessToken — short-lived JWT for authenticating API requests.
refreshToken — long-lived token (7 days) for obtaining new access tokens.

success

boolean

required

Indicates whether the request succeeded. Always true on success.

message

string

Confirmation message. Value: "OAuth authentication successful, tokens set in cookies".

data

object

Show properties

user

object

Show properties

string

Unique user identifier.

string

User’s email address.

emailVerified

boolean

Whether the user’s email has been verified.

provider

string

Authentication provider. One of: google, apple.

createdAt

string

ISO 8601 timestamp of account creation.

updatedAt

string

ISO 8601 timestamp of the last account update.

tokens

object

Show properties

accessToken

string

JWT access token for authenticating subsequent requests.

refreshToken

string

Token used to obtain a new access token when the current one expires.

expiresIn

number

Access token lifetime in seconds.

Examples

curl --request POST \
  --url https://your-api.com/api/v1/auth/oauth/google/callback \
  --header 'Content-Type: application/json' \
  --data '{
    "code": "4/0AX4XfWh..."
  }'

Success response

200

{
  "success": true,
  "message": "OAuth authentication successful, tokens set in cookies",
  "data": {
    "user": {
      "id": "usr_01h9...",
      "email": "user@example.com",
      "emailVerified": true,
      "provider": "google",
      "createdAt": "2024-01-15T10:30:00.000Z",
      "updatedAt": "2024-01-15T10:30:00.000Z"
    },
    "tokens": {
      "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
      "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
      "expiresIn": 3600
    }
  }
}

Error responses

400

{
  "success": false,
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Authorization code is required"
  }
}

401

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Failed to authenticate with OAuth provider"
  }
}

Auth Endpoints

OTP

OAuth

Password

User

Health

Request

Path parameters

Body

Response

Examples

Success response

Error responses

Build docs developers (and LLMs) love

Auth Endpoints

OTP

OAuth

Password

User

Health

Documentation Index

​Request

​Path parameters

​Body

​Response

​Examples

​Success response

​Error responses

Build docs developers (and LLMs) love

Request

Path parameters

Body

Response

Examples

Success response

Error responses