Configuring Providers
Each OAuth provider is configured per application through the Dashboard API. Configuration stores your provider credentials (encrypted at rest), the scopes to request, and whether users should be automatically provisioned on first login.
Configuration Modes
When configuring a provider you choose one of two modes:
BYOA (Bring Your Own App) — You supply a client_id and client_secret obtained from the provider's developer console. Your credentials are encrypted using AES-256-CBC before storage. Gate uses them when building provider redirect URLs.
YorAuth Managed — YorAuth provides shared OAuth application credentials for the provider. No setup in the provider's developer console is required. This option is only available on supported plans and for providers where YorAuth maintains a managed application.
Browse the Marketplace
Before configuring a provider, find its marketplace entry to get its id:
curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/marketplace" \
-H "Authorization: Bearer your-api-key"
Filter by search term:
curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/marketplace?search=google" \
-H "Authorization: Bearer your-api-key"
Response:
{
"data": [
{
"id": "a1b2c3d4-...",
"identifier": "google",
"name": "Google",
"category": "identity",
"logo_url": "https://...",
"description": "Sign in with Google",
"scopes": ["openid", "email", "profile"],
"config_fields": ["client_id", "client_secret"],
"popularity_score": 100,
"is_configured": false,
"yorauth_managed_available": true
}
]
}
The is_configured flag indicates whether this provider is already configured for your application. The id field is what you pass as provider_id when creating a configuration.
Get the Callback URL
Before creating credentials in the provider's developer console, retrieve the callback URL to register as an authorized redirect URI:
curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{providerId}/callback-url" \
-H "Authorization: Bearer your-api-key"
Response:
{
"data": {
"callback_url": "https://gate.yorauth.com/oauth/google/callback",
"provider_identifier": "google"
}
}
Register this URL in your provider's developer console before creating the YorAuth configuration.
Configure a Provider (BYOA)
curl -X POST "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/configure" \
-H "Authorization: Bearer your-api-key" \
-H "Content-Type: application/json" \
-d '{
"provider_id": "a1b2c3d4-...",
"configuration_mode": "byoa",
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"scopes": ["openid", "email", "profile"],
"auto_provision_users": false
}'
Parameters:
| Field | Type | Required | Description |
|---|---|---|---|
provider_id | UUID | Yes | The marketplace provider's id |
configuration_mode | string | No | byoa (default) or yorauth_managed |
client_id | string | Required for byoa | Your OAuth application's client ID |
client_secret | string | Required for byoa | Your OAuth application's client secret |
redirect_uri | string | No | Override the default gate callback URL |
scopes | array | No | Override the provider's default scopes |
auto_provision_users | boolean | No | Create app users on first OAuth login (default: false) |
Response (201 Created):
{
"data": {
"id": "cfg-uuid-...",
"provider": {
"id": "a1b2c3d4-...",
"identifier": "google",
"name": "Google"
},
"redirect_uri": null,
"scopes": ["openid", "email", "profile"],
"is_active": true,
"configuration_mode": "byoa",
"auto_provision_users": false,
"created_at": "2026-02-25T12:00:00+00:00"
}
}
Each provider can only be configured once per application. Attempting to configure the same provider twice returns a 409 PROVIDER_ALREADY_CONFIGURED error.
Configure a Provider (YorAuth Managed)
curl -X POST "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/configure" \
-H "Authorization: Bearer your-api-key" \
-H "Content-Type: application/json" \
-d '{
"provider_id": "a1b2c3d4-...",
"configuration_mode": "yorauth_managed",
"auto_provision_users": true
}'
No client_id or client_secret are required. YorAuth will use its own managed credentials.
List Configured Providers
curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/configured" \
-H "Authorization: Bearer your-api-key"
Response:
{
"data": [
{
"id": "cfg-uuid-...",
"provider": {
"id": "a1b2c3d4-...",
"identifier": "google",
"name": "Google",
"category": "identity",
"logo_url": "https://..."
},
"redirect_uri": null,
"scopes": ["openid", "email", "profile"],
"is_active": true,
"configuration_mode": "byoa",
"auto_provision_users": false,
"oauth_connections_count": 142,
"created_at": "2026-01-15T09:00:00+00:00",
"updated_at": "2026-01-15T09:00:00+00:00"
}
]
}
The oauth_connections_count shows how many active connections exist for this provider configuration.
Update a Configuration
Update credentials, scopes, active status, or auto-provisioning settings:
curl -X PUT "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{configId}" \
-H "Authorization: Bearer your-api-key" \
-H "Content-Type: application/json" \
-d '{
"client_secret": "your-new-client-secret",
"is_active": true,
"auto_provision_users": true
}'
Updatable Fields:
| Field | Type | Description |
|---|---|---|
client_id | string | Replace the stored client ID (BYOA only) |
client_secret | string | Replace the stored client secret (BYOA only) |
redirect_uri | string|null | Override or clear the callback URL |
scopes | array|null | Override or clear the scope list |
is_active | boolean | Enable or disable the configuration |
auto_provision_users | boolean | Toggle automatic user provisioning |
Response (200):
{
"data": {
"id": "cfg-uuid-...",
"provider": { "..." },
"redirect_uri": null,
"scopes": ["openid", "email", "profile"],
"is_active": true,
"configuration_mode": "byoa",
"auto_provision_users": true,
"created_at": "2026-01-15T09:00:00+00:00",
"updated_at": "2026-02-25T12:00:00+00:00"
}
}
Updating credentials takes effect immediately. Gate caches provider configuration for 5 minutes; there may be a short delay before the new credentials are picked up for new OAuth flows.
Delete a Configuration
curl -X DELETE "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{configId}" \
-H "Authorization: Bearer your-api-key"
Returns 204 No Content on success. Deleting a configuration does not automatically revoke existing OAuth connections; those remain in place and can still be managed via the connection management API.
Test a Configuration
After configuring a provider, generate a test authorize URL to verify the end-to-end flow:
curl "https://api.yorauth.com/api/dashboard/applications/{applicationId}/providers/{configId}/test-login-url" \
-H "Authorization: Bearer your-api-key"
Response:
{
"data": {
"authorize_url": "https://api.yorauth.com/oidc/authorize?client_id=...&response_type=code&scope=openid&state=..."
}
}
Open authorize_url in a browser. You should see your provider's sign-in button on the hosted login page. Completing the flow verifies that gate can reach the provider and that your credentials are correct.
This endpoint requires an active OIDC client for the application. If you see a NO_OIDC_CLIENT error, create an OIDC client first.
Plan Limits
The number of active provider configurations per application is subject to your plan's OAuth provider limit. Attempting to exceed the limit returns a 422 error. Contact support to upgrade your plan.