Skip to main content
Hayon supports Google OAuth 2.0 for user authentication. The flow is redirect-based — the user is sent to Google’s authorization page and returned to the app after granting consent.

How the flow works

1

Initiate the login

Direct the user’s browser to GET /api/auth/google. The server redirects to Google’s OAuth consent page, requesting access to the user’s profile and email scopes.
2

User grants consent

The user logs in to their Google account and approves the requested permissions.
3

Google redirects back

Google redirects the browser to GET /api/auth/google/callback with an authorization code. The server exchanges the code for user profile data using Passport.js.
4

Tokens issued

The server creates a device session, generates a JWT access token and a refresh token, and sets the refreshToken httpOnly cookie. The browser is then redirected to the frontend callback URL with the access token in the URL fragment:
https://<frontend>/auth/callback#accessToken=<access_token>
Read the token from window.location.hash and store it securely in memory.

Endpoints

Initiate Google login

GET /api/auth/google
Authentication: None required This is a browser navigation endpoint, not a JSON API call. Open it in the browser or redirect the user to it: 
curl -L http://localhost:5000/api/auth/google
# Redirects to Google's OAuth consent page
In a frontend application, navigate the user directly: 
window.location.href = 'http://localhost:5000/api/auth/google';

OAuth callback

GET /api/auth/google/callback
Authentication: None required (handled by Google) This endpoint is the OAuth redirect URI registered with Google. Do not call it directly — Google redirects the user here automatically after consent. On success, the user is redirected to: 
<FRONTEND_URL>/auth/callback#accessToken=<access_token>
On failure, the user is redirected to: 
<FRONTEND_URL>/login?error=google_auth_failed

Error handling

Error query parameterCause
google_auth_failedGoogle returned an error, the OAuth flow failed, or the user object was invalid
Errors are communicated as query parameters on the frontend redirect URL, not as JSON API responses, since this is a browser-based redirect flow.

After successful OAuth

Once the user completes the flow:
  • A new device session is created and stored.
  • A refresh token (7-day expiry) is set as an httpOnly cookie.
  • An access token is passed in the URL fragment to the frontend callback page.
  • Subsequent API requests work identically to password-based login — use the access token in the Authorization: Bearer header and refresh it via POST /api/auth/refresh when it expires.
If the Google account email matches an existing Hayon account, the user is authenticated into that account. If no account exists, a new one is created automatically.

Build docs developers (and LLMs) love

Get started for freeTalk to us