Skip to main content
GET
/
auth
/
google
/
login
curl -X GET "https://api.chronos.app/auth/google/login" \
  -H "Accept: application/json"

{
  "redirectUrl": "https://accounts.google.com/o/oauth2/v2/auth?client_id=...&redirect_uri=...&scope=https://www.googleapis.com/auth/calendar+https://www.googleapis.com/auth/calendar.events&access_type=offline&prompt=consent&code_challenge=..."
}

Request

Query Parameters

redirectTo
string
Custom redirect URL after authentication completes. Must be in the configured allow list. If not provided, defaults to {FRONTEND_URL}/auth/web/callback.

Response

redirectUrl
string
required
The Google OAuth authorization URL that the client should redirect to. This URL includes all necessary OAuth parameters including:
  • Calendar API scopes (calendar and calendar.events)
  • PKCE challenge for security
  • access_type=offline to request refresh tokens
  • prompt=consent to force consent screen
curl -X GET "https://api.chronos.app/auth/google/login" \
  -H "Accept: application/json"

{
  "redirectUrl": "https://accounts.google.com/o/oauth2/v2/auth?client_id=...&redirect_uri=...&scope=https://www.googleapis.com/auth/calendar+https://www.googleapis.com/auth/calendar.events&access_type=offline&prompt=consent&code_challenge=..."
}

Error Codes

400
error
Bad Request - The redirectTo parameter is not in the configured allow list
429
error
Rate Limit Exceeded - Too many authentication requests from this IP address

Rate Limits

This endpoint is rate-limited according to the RATE_LIMIT_AUTH configuration. The rate limiter uses the client’s IP address as the key.

Implementation Details

  • Uses Supabase Auth’s sign_in_with_oauth method with Google provider
  • Implements PKCE (Proof Key for Code Exchange) for enhanced security
  • Requests offline access to obtain refresh tokens
  • Forces consent screen to ensure users grant calendar permissions
  • Validates redirect URLs against configured allow list

Security Notes

  • CSRF protection is handled via PKCE, eliminating the need for state cookies
  • Redirect URLs are strictly validated to prevent open redirect vulnerabilities
  • All OAuth parameters are server-generated to prevent tampering
Next Step: After the user authorizes on Google, they will be redirected to the callback URL with an authorization code. Use the Callback endpoint to exchange this code for session tokens.
Source: backend/app/routers/auth.py:117-141

Build docs developers (and LLMs) love

Get started for freeTalk to us