Provider API reference for OAuth, email, and two-factor authentication.
All OAuth providers follow a consistent pattern and support PKCE (Proof Key for Code Exchange) with S256 enabled by default for enhanced security.
Google OAuth 2.0 provider with OpenID Connect
google(options: GoogleProviderOptions): OAuthProviderConfigclientIdstringrequiredGoogle OAuth client ID from Google Cloud Console
clientSecretstringrequiredGoogle OAuth client secret
redirectUristringrequiredOAuth callback URL (must match Google Console config)
scopestring[]OAuth scopes to request
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { google } from '@warpy-auth-sdk/core';
const provider = google({
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/google',
scope: ['openid', 'email', 'profile'], // Optional, these are defaults
pkce: 'S256', // Optional, S256 is default
});Facebook OAuth 2.0 provider
facebook(options: FacebookProviderOptions): OAuthProviderConfigclientIdstringrequiredFacebook App ID
clientSecretstringrequiredFacebook App Secret
redirectUristringrequiredOAuth callback URL
scopestring[]OAuth scopes (default: ["email", "public_profile"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { facebook } from '@warpy-auth-sdk/core';
const provider = facebook({
clientId: process.env.FACEBOOK_CLIENT_ID!,
clientSecret: process.env.FACEBOOK_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/facebook',
});GitHub OAuth 2.0 provider with private email handling
github(options: GitHubProviderOptions): OAuthProviderConfigclientIdstringrequiredGitHub OAuth App client ID
clientSecretstringrequiredGitHub OAuth App client secret
redirectUristringrequiredOAuth callback URL
scopestring[]OAuth scopes (default: ["user:email"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { github } from '@warpy-auth-sdk/core';
const provider = github({
clientId: process.env.GITHUB_CLIENT_ID!,
clientSecret: process.env.GITHUB_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/github',
scope: ['user:email'], // Optional, includes private emails
});GitLab OAuth 2.0 provider with self-hosted support
gitlab(options: GitLabProviderOptions): OAuthProviderConfigclientIdstringrequiredGitLab OAuth application ID
clientSecretstringrequiredGitLab OAuth application secret
redirectUristringrequiredOAuth callback URL
baseUrlstringGitLab instance URL (default: "https://gitlab.com")
scopestring[]OAuth scopes (default: ["read_user"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { gitlab } from '@warpy-auth-sdk/core';
// GitLab.com
const provider = gitlab({
clientId: process.env.GITLAB_CLIENT_ID!,
clientSecret: process.env.GITLAB_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/gitlab',
});
// Self-hosted GitLab
const selfHosted = gitlab({
clientId: process.env.GITLAB_CLIENT_ID!,
clientSecret: process.env.GITLAB_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/gitlab',
baseUrl: 'https://gitlab.company.com',
});LinkedIn OAuth 2.0 provider with OpenID Connect
linkedin(options: LinkedInProviderOptions): OAuthProviderConfigclientIdstringrequiredLinkedIn App client ID
clientSecretstringrequiredLinkedIn App client secret
redirectUristringrequiredOAuth callback URL
scopestring[]OAuth scopes (default: ["openid", "profile", "email"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { linkedin } from '@warpy-auth-sdk/core';
const provider = linkedin({
clientId: process.env.LINKEDIN_CLIENT_ID!,
clientSecret: process.env.LINKEDIN_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/linkedin',
});Microsoft/Azure AD OAuth 2.0 provider with multi-tenant support
microsoft(options: MicrosoftProviderOptions): OAuthProviderConfigclientIdstringrequiredAzure AD application (client) ID
clientSecretstringrequiredAzure AD client secret
redirectUristringrequiredOAuth callback URL
tenantstringAzure AD tenant ID or "common"/"organizations" (default: "common")
scopestring[]OAuth scopes (default: ["openid", "profile", "email"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { microsoft } from '@warpy-auth-sdk/core';
// Multi-tenant (any Microsoft account)
const provider = microsoft({
clientId: process.env.MICROSOFT_CLIENT_ID!,
clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/microsoft',
tenant: 'common', // Optional, 'common' is default
});
// Single-tenant (specific organization)
const singleTenant = microsoft({
clientId: process.env.MICROSOFT_CLIENT_ID!,
clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/microsoft',
tenant: 'your-tenant-id',
});Spotify OAuth 2.0 provider
spotify(options: SpotifyProviderOptions): OAuthProviderConfigclientIdstringrequiredSpotify App client ID
clientSecretstringrequiredSpotify App client secret
redirectUristringrequiredOAuth callback URL
scopestring[]OAuth scopes (default: ["user-read-email"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { spotify } from '@warpy-auth-sdk/core';
const provider = spotify({
clientId: process.env.SPOTIFY_CLIENT_ID!,
clientSecret: process.env.SPOTIFY_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/spotify',
scope: ['user-read-email', 'user-read-private'],
});Discord OAuth 2.0 provider
discord(options: DiscordProviderOptions): OAuthProviderConfigclientIdstringrequiredDiscord App client ID
clientSecretstringrequiredDiscord App client secret
redirectUristringrequiredOAuth callback URL
scopestring[]OAuth scopes (default: ["identify", "email"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { discord } from '@warpy-auth-sdk/core';
const provider = discord({
clientId: process.env.DISCORD_CLIENT_ID!,
clientSecret: process.env.DISCORD_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/discord',
});Twitch OAuth 2.0 provider
twitch(options: TwitchProviderOptions): OAuthProviderConfigclientIdstringrequiredTwitch App client ID
clientSecretstringrequiredTwitch App client secret
redirectUristringrequiredOAuth callback URL
scopestring[]OAuth scopes (default: ["user:read:email"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { twitch } from '@warpy-auth-sdk/core';
const provider = twitch({
clientId: process.env.TWITCH_CLIENT_ID!,
clientSecret: process.env.TWITCH_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/twitch',
});Epic Games OAuth 2.0 provider
epic(options: EpicProviderOptions): OAuthProviderConfigclientIdstringrequiredEpic Games client ID
clientSecretstringrequiredEpic Games client secret
redirectUristringrequiredOAuth callback URL
scopestring[]OAuth scopes (default: ["basic_profile"])
pkce"S256" | "plain" | falsePKCE method (default: "S256")
OAuthProviderConfigimport { epic } from '@warpy-auth-sdk/core';
const provider = epic({
clientId: process.env.EPIC_CLIENT_ID!,
clientSecret: process.env.EPIC_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/epic',
});Custom OAuth 2.0 provider with configurable endpoints and user mapping
custom(options: CustomOAuthProviderOptions): OAuthProviderConfigclientIdstringrequiredOAuth client ID
clientSecretstringrequiredOAuth client secret
redirectUristringrequiredOAuth callback URL
authorizeUrlstringrequiredAuthorization endpoint URL
tokenUrlstringrequiredToken endpoint URL
userInfoUrlstringrequiredUser info endpoint URL
scopestring[]OAuth scopes
pkce"S256" | "plain" | falsePKCE method (default: "S256")
mapUser(userInfo: any) => UserProfileFunction to map provider user info to standard UserProfile
OAuthProviderConfigimport { custom } from '@warpy-auth-sdk/core';
const provider = custom({
clientId: process.env.CUSTOM_CLIENT_ID!,
clientSecret: process.env.CUSTOM_CLIENT_SECRET!,
redirectUri: 'https://example.com/api/auth/callback/custom',
authorizeUrl: 'https://auth.example.com/oauth/authorize',
tokenUrl: 'https://auth.example.com/oauth/token',
userInfoUrl: 'https://auth.example.com/oauth/userinfo',
scope: ['openid', 'email', 'profile'],
mapUser: (userInfo) => ({
id: userInfo.sub || userInfo.id,
email: userInfo.email,
name: userInfo.name || userInfo.displayName,
picture: userInfo.picture || userInfo.avatar,
}),
});The email provider sends magic links for passwordless authentication. Supports both Nodemailer (SMTP) and Resend email services with React Email templates.
Email magic link provider with React Email templates
email(options: EmailProviderOptions): EmailProviderConfigfromstringrequiredFrom email address
serviceEmailServiceConfigrequiredEmail service configuration (Nodemailer or Resend)
templateCustomEmailTemplateCustom React Email template (optional)
appNamestringApp name for default template (default: "Your App")
companyNamestringCompany name for default template (default: "Your Company")
expirationMinutesnumberToken expiration in minutes (default: 15)
EmailProviderConfigimport { email } from '@warpy-auth-sdk/core';
// With Resend
const provider = email({
from: 'noreply@example.com',
service: {
type: 'resend',
apiKey: process.env.RESEND_API_KEY!,
},
appName: 'MyApp',
companyName: 'Acme Inc',
expirationMinutes: 15,
});
// With Nodemailer (SMTP)
const nodemailerProvider = email({
from: 'noreply@example.com',
service: {
type: 'nodemailer',
server: 'smtp.gmail.com:587',
auth: {
user: 'user@gmail.com',
pass: process.env.SMTP_PASSWORD!,
},
},
});
// With custom template
const customProvider = email({
from: 'noreply@example.com',
service: { type: 'resend', apiKey: process.env.RESEND_API_KEY! },
template: {
component: ({ magicLink }) => (
<MyCustomEmail magicLink={magicLink} />
),
subject: 'Custom Sign In',
},
});The two-factor provider sends 6-digit verification codes via email for enhanced security. Supports the same email services as the magic link provider.
Two-factor email authentication provider with 6-digit codes
twofa(options: TwoFactorProviderOptions): TwoFactorProviderConfigfromstringrequiredFrom email address
serviceEmailServiceConfigrequiredEmail service configuration (Nodemailer or Resend)
templateCustomTwoFactorTemplateCustom React Email template (optional)
appNamestringApp name for default template (default: "Your App")
companyNamestringCompany name for default template (default: "Your Company")
expirationMinutesnumberCode expiration in minutes (default: 5)
TwoFactorProviderConfigimport { twofa } from '@warpy-auth-sdk/core';
const provider = twofa({
from: 'noreply@example.com',
service: {
type: 'resend',
apiKey: process.env.RESEND_API_KEY!,
},
appName: 'MyApp',
companyName: 'Acme Inc',
expirationMinutes: 5, // Code valid for 5 minutes
});// OAuth Provider
interface OAuthProviderConfig {
type: "oauth";
clientId: string;
clientSecret: string;
authorizeUrl: string;
tokenUrl: string;
userInfoUrl: string;
redirectUri: string;
scope?: string[];
pkce?: "S256" | "plain" | false;
getUser: (accessToken: string) => Promise<UserProfile>;
}
// Email Provider
interface EmailProviderConfig {
type: "email";
server: string;
from: string;
sendMagicLink: (email: string, url: string) => Promise<void>;
verify: (token: string) => Promise<{ email: string; userId?: string } | null>;
}
// Two-Factor Provider
interface TwoFactorProviderConfig {
type: "twofa";
from: string;
sendCode: (email: string) => Promise<{ identifier: string; expiresIn: number }>;
verifyCode: (identifier: string, code: string) => Promise<{ email: string; userId?: string } | null>;
}
// User Profile (returned by all providers)
interface UserProfile {
id: string;
email: string;
name?: string;
picture?: string;
}
// Email Service Configuration
type EmailServiceConfig =
| { type: 'resend'; apiKey: string }
| { type: 'nodemailer'; server: string; auth: { user: string; pass: string } };All OAuth providers support PKCE (Proof Key for Code Exchange) with S256 enabled by default. PKCE prevents authorization code interception attacks and is recommended for all OAuth flows.