Skip to main content
Proliferate supports multiple authentication methods. Choose based on your needs:
MethodBest ForRequires
GitHub OAuthTeams using GitHubGitHub OAuth App
Google OAuthGoogle Workspace orgsGoogle Cloud project
Email/PasswordAir-gapped environmentsNothing extra

GitHub OAuth

1

Create GitHub OAuth App

  1. Go to GitHub Developer Settings
  2. Click New OAuth App
  3. Fill in:
    • Application name: Proliferate
    • Homepage URL: https://your-domain.com
    • Authorization callback URL: https://your-domain.com/api/auth/callback/github
  4. Click Register application
2

Get credentials

Copy the Client ID and generate a new Client Secret
3

Configure environment

GITHUB_OAUTH_APP_ID=your-client-id
GITHUB_OAUTH_APP_SECRET=your-client-secret
4

Restart services

docker-compose down && docker-compose up -d

GitHub App (repo access)

For private repo access and GitHub‑based triggers, set up a GitHub App. See Self‑hosting → GitHub App for the full checklist (URLs, permissions, webhooks, and env vars).
Current behavior: GitHub App credentials are required unless NEXT_PUBLIC_USE_NANGO_GITHUB=true.

Google OAuth

1

Create Google Cloud project

  1. Go to Google Cloud Console
  2. Create a new project or select existing
  3. Go to APIs & ServicesCredentials
2

Configure OAuth consent screen

  1. Click Configure Consent Screen
  2. Choose Internal (for Google Workspace) or External
  3. Fill in app name, support email, and authorized domains
3

Create OAuth client

  1. Click Create CredentialsOAuth client ID
  2. Choose Web application
  3. Add authorized redirect URI: https://your-domain.com/api/auth/callback/google
4

Configure environment

GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...
5

Restart services

docker-compose down && docker-compose up -d

Email/Password Authentication

For environments without OAuth, Proliferate supports local email/password authentication.

Configuration

# Auth secrets (required)
BETTER_AUTH_SECRET=your-secret-here

# Optional: Email verification / invites
EMAIL_ENABLED=false
RESEND_API_KEY=re_...
EMAIL_FROM=[email protected]

Without Email Verification

If you don’t want email verification, set: 
NEXT_PUBLIC_ENFORCE_EMAIL_VERIFICATION=false
If EMAIL_ENABLED=false and NEXT_PUBLIC_ENFORCE_EMAIL_VERIFICATION=false, email is disabled and Resend is not required.

With Email Verification

Configure Resend to require email verification:
  1. Sign up at resend.com
  2. Verify your domain
  3. Create an API key
  4. Add to .env: 
    RESEND_API_KEY=re_...
EMAIL_FROM=[email protected]

Multiple Providers

You can enable multiple authentication methods simultaneously: 
# GitHub OAuth
GITHUB_OAUTH_APP_ID=...
GITHUB_OAUTH_APP_SECRET=...

# Google OAuth
GOOGLE_CLIENT_ID=...
GOOGLE_CLIENT_SECRET=...

# Email/password is always available
Users will see all enabled options on the sign-in page. If you don’t configure any OAuth providers, the email/password form is still available.

Auth Secrets

These secrets are required for all authentication methods: 
# Session encryption (generate with: openssl rand -base64 32)
BETTER_AUTH_SECRET=...

# Service-to-service auth (generate with: openssl rand -base64 32)
SERVICE_TO_SERVICE_AUTH_TOKEN=...

# User secrets encryption (generate with: openssl rand -hex 32)
USER_SECRETS_ENCRYPTION_KEY=...
Keep these secrets secure. If compromised, rotate them immediately and all users will need to sign in again.

Troubleshooting

  • Verify the callback URL matches exactly (including trailing slashes)
  • Check that your domain is accessible from the internet
  • Ensure the OAuth app is not in development mode (Google)
  • Check docker-compose logs web for auth errors
  • Verify BETTER_AUTH_SECRET is set
  • Ensure the database is accessible
  • Verify RESEND_API_KEY is correct
  • Check that your domain is verified in Resend
  • Check docker-compose logs web for email errors