Skip to main content

Overview

Repolyze uses NextAuth.js with OAuth providers to securely authenticate users. No passwords are stored—authentication is handled by trusted third-party providers.
Authentication unlocks higher daily analysis limits, export features, and Pro-tier capabilities like AI Insights and Data Flow diagrams.

Supported Providers

Repolyze supports two OAuth providers for seamless sign-in:

GitHub OAuth

Sign in with GitHub

Authenticate using your GitHub account. Perfect for developers who want to analyze repositories and create issues directly.
Why GitHub?
  • Integrates with GitHub issue creation
  • Familiar to developers
  • Single sign-on for developer tools

Google OAuth

Sign in with Google

Authenticate using your Google account. Ideal for users who prefer Google’s authentication system.
Why Google?
  • Wide adoption across platforms
  • Secure OAuth 2.0 implementation
  • Easy access from any device
Both providers offer the same features and rate limits. Choose whichever you prefer!

How Authentication Works

Repolyze implements a database-backed session strategy for security and reliability:

Authentication Flow

Technical Implementation

Repolyze uses NextAuth.js v5 with the Prisma adapter: 
import NextAuth from "next-auth";
import GitHub from "next-auth/providers/github";
import Google from "next-auth/providers/google";
import { PrismaAdapter } from "@auth/prisma-adapter";
import { prisma } from "@/lib/prisma";

export const { handlers, auth, signIn, signOut } = NextAuth({
  trustHost: true,
  adapter: PrismaAdapter(prisma),
  providers: [
    GitHub({
      clientId: process.env.AUTH_GITHUB_ID,
      clientSecret: process.env.AUTH_GITHUB_SECRET,
    }),
    Google({
      clientId: process.env.AUTH_GOOGLE_ID,
      clientSecret: process.env.AUTH_GOOGLE_SECRET,
    }),
  ],
  pages: {
    signIn: "/login",
  },
  session: {
    strategy: "database",
  },
  callbacks: {
    async session({ session, user }) {
      if (session.user) {
        session.user.id = user.id;
      }
      return session;
    },
  },
});

Session Management

Database-Backed Sessions

Repolyze stores sessions in PostgreSQL for security and persistence:
  • Session Token: Unique identifier stored in a secure HTTP-only cookie
  • Expiration: Sessions expire after 30 days of inactivity
  • User ID: Links session to user account for plan and rate limit checks
Sessions are server-side only. The client receives an encrypted session token but never has direct access to user data.

Checking Authentication Status

In API routes and server components: 
import { auth } from "@/lib/auth";

export async function GET() {
  const session = await auth();
  
  if (!session?.user?.id) {
    return Response.json({ error: "Unauthorized" }, { status: 401 });
  }
  
  // User is authenticated
  const userId = session.user.id;
  // ...
}

Account Lifecycle

First Sign-In

When you sign in for the first time:
  1. OAuth Consent: Approve access from GitHub/Google
  2. Account Creation: Repolyze creates a User record in the database
  3. Plan Assignment: You’re assigned the Free plan by default
  4. Session Created: A session is generated and stored
  5. Redirect: You’re redirected to the dashboard
Your email address is stored for subscription management but is never shared with third parties.

Subsequent Sign-Ins

Returning users:
  1. OAuth Verification: Verify identity with provider
  2. Session Lookup: Check for existing account
  3. Session Refresh: Create new session token
  4. Plan Check: Verify current plan and expiration
  5. Redirect: Return to dashboard

Account Deletion

To delete your account:
  1. Sign in to your Repolyze account
  2. Navigate to SettingsAccount
  3. Click Delete Account
  4. Confirm deletion
Deleting your account is permanent and will:
  • Remove all analysis history
  • Cancel any active Pro subscription
  • Invalidate all sessions
  • Delete all personal data from our database

Security Features

Data Protection

  • OAuth Only: No passwords stored on Repolyze servers
  • Encrypted Tokens: All tokens are encrypted at rest
  • HTTPS Required: All authentication flows use TLS 1.3
  • CSRF Protection: Built-in CSRF token validation
  • Session Expiration: Automatic cleanup of expired sessions

Provider Permissions

Repolyze requests minimal permissions:
ProviderScopePurpose
GitHubuser:emailGet email address for account creation
GitHubread:userGet profile name and avatar
Googleopenid email profileGet email, name, and avatar
Repolyze never requests access to your repositories or private data. We only need basic profile information.

Environment Variables

For self-hosting or development, configure these OAuth credentials:
.env.example
# NextAuth
AUTH_SECRET=your-auth-secret-here  # Generate with: npx auth secret

# GitHub OAuth (https://github.com/settings/developers)
AUTH_GITHUB_ID=your-github-oauth-client-id
AUTH_GITHUB_SECRET=your-github-oauth-client-secret

# Google OAuth (https://console.cloud.google.com/apis/credentials)
AUTH_GOOGLE_ID=your-google-client-id
AUTH_GOOGLE_SECRET=your-google-client-secret
See Development Guide for detailed setup instructions.

Troubleshooting

This error occurs when AUTH_GITHUB_ID or AUTH_GITHUB_SECRET are not set in your .env file.Solution: Create a GitHub OAuth app and add credentials to .env.
This error occurs when AUTH_GOOGLE_ID or AUTH_GOOGLE_SECRET are not set.Solution: Create a Google OAuth client and add credentials to .env.
Sessions expire after 30 days of inactivity. You’ll need to sign in again.
Yes. Repolyze uses industry-standard OAuth 2.0, encrypts all tokens, and stores sessions securely in PostgreSQL. We never store passwords.

API Reference

Authentication Endpoints

EndpointMethodDescription
/api/auth/signinGETRedirect to OAuth provider
/api/auth/callback/:providerGETOAuth callback handler
/api/auth/signoutPOSTSign out and invalidate session
/api/auth/sessionGETGet current session

Usage in Code

import { auth, signIn, signOut } from "@/lib/auth";

// Check authentication
const session = await auth();

// Sign in
await signIn("github");

// Sign out
await signOut();

Next Steps

Plans & Pricing

Upgrade to Pro for higher limits

Rate Limits

Understand daily analysis quotas

Build docs developers (and LLMs) love

Get started for freeTalk to us