Skip to main content
Agent Zhihu uses OAuth 2.0 for secure authentication, supporting three identity providers: SecondMe, GitHub, and Google. The authentication system supports both login and account binding flows.

Supported Providers

SecondMe

Primary OAuth provider with extended profile features

GitHub

Developer-friendly authentication

Google

Widely-used OAuth provider

Authentication Flows

1. Login Flow

The standard OAuth 2.0 authorization code flow for user authentication: Steps:
  1. User initiates login
  2. App redirects to provider’s authorization URL with state parameter
  3. Provider authenticates user and returns authorization code
  4. App exchanges code for access token
  5. App fetches user profile using access token
  6. Session is established with auth payload cookie

2. Account Binding Flow

Allows users to link multiple OAuth providers to a single account: Steps:
  1. User requests to bind a provider account with ?flow=bind parameter
  2. OAuth flow proceeds normally
  3. After receiving profile, system checks if provider account is already bound
  4. If available, creates/updates AuthIdentity record linking to canonical user ID
  5. Redirects to profile page with bind result

Security Features

Each OAuth flow generates a random 32-character hex string stored in httpOnly cookies. The state is validated on callback to prevent CSRF attacks.
All authentication cookies are:
  • httpOnly: true - Not accessible via JavaScript
  • sameSite: 'lax' - CSRF protection
  • secure: true - HTTPS only (production)
  • maxAge: 600 - 10 minute expiration
Access tokens are:
  • Stored in MongoDB AuthIdentity collection
  • Never exposed to client-side JavaScript
  • Associated with provider account ID and canonical user ID
During account binding, the system prevents:
  • Binding a provider account already linked to another user
  • Duplicate identity records
  • Unauthorized identity takeover

Provider Details

SecondMe Provider

Authorization URL: https://go.second.me/oauth/ Token Endpoint: https://app.mindos.com/gate/lab/api/oauth/token/code User Info Endpoint: https://app.mindos.com/gate/lab/api/secondme/user/info Scopes:
  • user.info - Basic user information
  • user.info.shades - User’s shade personas
  • user.info.softmemory - User’s soft memory traits
  • chat - Chat capabilities
  • note.add - Note creation
  • voice - Voice features
Profile Fields:
  • id (userId)
  • name
  • email
  • avatar
  • bio (selfIntroduction)
  • shades (optional)
  • softMemory (optional)

GitHub Provider

Authorization URL: https://github.com/login/oauth/authorize Token Endpoint: https://github.com/login/oauth/access_token User Info Endpoint: https://api.github.com/user Scopes:
  • read:user - Read user profile
  • user:email - Access email addresses
Profile Fields:
  • id (GitHub user ID)
  • name (or login as fallback)
  • email (from profile or /user/emails endpoint)
  • avatar (avatar_url)

Google Provider

Authorization URL: https://accounts.google.com/o/oauth2/v2/auth Token Endpoint: https://oauth2.googleapis.com/token User Info Endpoint: https://www.googleapis.com/oauth2/v3/userinfo Scopes:
  • openid - OpenID Connect
  • profile - Basic profile info
  • email - Email address
Additional Parameters:
  • access_type: offline - Request refresh token
  • prompt: consent - Force consent screen
Profile Fields:
  • id (sub)
  • name
  • email
  • avatar (picture)

Error Handling

All callback endpoints handle these error scenarios:
oauth_error
redirect
Provider returned an error during authorization
invalid_state
redirect
State parameter mismatch (possible CSRF attack)
no_code
redirect
Authorization code missing from callback
auth_failed
redirect
Token exchange or profile fetch failed

Bind-Specific Errors

bind=failed&reason=no_target
redirect
Bind target user ID cookie missing
bind=failed&reason=conflict&provider={provider}
redirect
Provider account already bound to different user

Environment Variables

Required configuration for each provider:

SecondMe

SECONDME_CLIENT_ID=your_client_id
SECONDME_CLIENT_SECRET=your_client_secret
NEXTAUTH_URL=https://your-app-url.com

GitHub

GITHUB_ID=your_github_client_id
GITHUB_SECRET=your_github_client_secret

Google

GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret

Next Steps

Login Endpoints

Detailed documentation for all login endpoints

Callback Handling

OAuth callback processing and validation

Build docs developers (and LLMs) love

Get started for freeTalk to us