OAuth

Thogits supports OAuth sign-in with Google and Apple. These are browser-redirect flows — the user is redirected to the provider’s consent screen, then back to Thogits with an authorization code.

How OAuth Sign-In Works

1. Initiate: Your app redirects the browser to the OAuth start endpoint (e.g., GET /auth/oauth/google).
2. Provider consent: The server generates a PKCE code challenge and redirects the user to the provider’s authorization page.
3. Callback: After the user approves, the provider redirects back to the Thogits callback URL with an authorization code.
4. Code exchange: The server exchanges the code for tokens using the PKCE code verifier, verifies the identity, and creates or links the account.
5. Session: A session cookie is set and the user is redirected to the app.

Note

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. The server generates a random code_verifier, derives a code_challenge from it, and sends the challenge with the authorization request. On callback, the server proves it initiated the request by sending the original verifier.

Google

GET /auth/oauth/google

Initiates the Google OAuth flow. Redirect the user’s browser to this URL.

Auth required: No

# Open in browser — this is a redirect, not a JSON API call
open "https://app.thogits.com/api/auth/oauth/google"

The server redirects to Google’s consent screen with PKCE parameters. After the user approves, Google redirects back to the callback URL.

GET /auth/oauth/google/callback

Handles the OAuth callback from Google. This endpoint is called by Google’s redirect — not by your app directly.

Auth required: No

The server exchanges the authorization code for tokens, extracts the user’s email from the ID token, and either:

• Creates a new account if the email is not registered
• Links the Google provider to an existing account if the email matches
• Logs in if the provider is already linked

A session cookie is set and the user is redirected to the app.

---

Apple

GET /auth/oauth/apple

Initiates the Apple OAuth flow. Redirect the user’s browser to this URL.

Auth required: No

open "https://app.thogits.com/api/auth/oauth/apple"

POST /auth/oauth/apple/callback

Handles the OAuth callback from Apple. Apple uses a POST request for its callback (unlike Google’s GET).

Auth required: No

The behavior is the same as Google’s callback — the server exchanges the code, resolves the account, sets a session cookie, and redirects.

---

Unlinking a Provider

DELETE /auth/link/{provider}

Unlink an OAuth provider from the current account. The provider path parameter is either "google" or "apple".

Auth required: Yes

curl -X DELETE https://app.thogits.com/api/auth/link/google \
  -b cookies.txt -c cookies.txt

Response (200): The updated UserInfo object with the provider removed from oauth_providers.

Errors:

Status	Cause
400	Cannot unlink the only authentication method (must have a password or another provider)
404	Provider not linked to this account

Caution

You cannot unlink a provider if it is your only way to sign in. Ensure you have a password or another linked provider before unlinking.