Skip to main content
Flux Pass supports OAuth sign-in through three providers. The flow is the same for all providers:
  1. Your frontend redirects the user to the OAuth provider’s authorization page
  2. The provider redirects back to your app with an authorization code
  3. Your frontend sends the code to the Flux Pass callback endpoint
  4. Flux Pass exchanges the code for an access token, fetches the user profile, and returns tokens
If the OAuth user doesn’t exist, a new account is created automatically with a free DROP service entitlement. If the email already exists, the OAuth provider is linked to the existing account.

GitHub callback

POST /api/oauth/github/callback
Rate limited to 10 requests per 60 seconds.

Request body

code
string
required
The authorization code received from GitHub’s OAuth flow.

Response 200

{
  "user": {
    "id": "cuid_abc123",
    "email": "user@example.com",
    "displayName": "John",
    "avatar": "https://avatars.githubusercontent.com/u/12345",
    "oauthAccounts": [
      {
        "provider": "github",
        "providerUserId": "12345"
      }
    ]
  },
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "refreshToken": "a1b2c3d4e5f6...",
  "services": [...],
  "banned": false,
  "disabled": false
}

Response 400

{
  "message": "GitHub account must have a verified primary email"
}

Google callback

POST /api/oauth/google/callback
Rate limited to 10 requests per 60 seconds.

Request body

code
string
required
The authorization code received from Google’s OAuth flow.

Response 200

Same structure as the GitHub callback response.

Response 400

{
  "message": "Google account must have a verified email"
}

Microsoft callback

POST /api/oauth/microsoft/callback
Rate limited to 10 requests per 60 seconds.

Request body

code
string
required
The authorization code received from Microsoft’s OAuth flow.

Response 200

Same structure as the GitHub callback response.

Response 400

{
  "message": "Microsoft account must have an email address"
}