regstack — Google OAuth setup

Welcome

This wizard walks you through enabling Sign in with Google on your regstack project. You'll register an OAuth 2.0 client in the Google Cloud Console, then paste the credentials back here. The wizard merges them into your regstack.toml and regstack.secrets.env without touching unrelated settings.

Allow about 5 minutes. You can use Back / Next at any time.

Detect existing configuration

No existing [oauth] table was found in regstack.toml. Click Next to begin.

An [oauth] table already exists in your config. Continuing will replace it. Existing user accounts that signed in with Google are unaffected — only the client credentials change.

Yes, replace the existing OAuth configuration.

Confirm the public base URL

Google needs to know where to redirect users after they sign in. The redirect URL is built from your application's public base URL.

Base URL

Computed redirect URI:

—

Open the Google Cloud Console

Sign in to the Google Cloud Console and select (or create) a project to hold your OAuth client.

Open console.cloud.google.com

When a project is selected (its name appears in the top bar), come back and click Next.

Configure the OAuth consent screen

In the Cloud Console, navigate to APIs & Services → OAuth consent screen.
User Type = External.
Fill in app name, user support email, and developer email.
Save and continue. You can leave Scopes empty for now.

Testing mode is fine for small user counts; Publishing is not required.

Create an OAuth 2.0 Client ID

Navigate to APIs & Services → Credentials.
Click Create Credentials → OAuth client ID.
Application type = Web application.
Give it a name (e.g. "regstack").

Stop when you reach the Authorized redirect URIs box.

Add the redirect URI

In the Authorized redirect URIs section, click + Add URI and paste the URI below. Then click Create.

—

A modal pops up showing your client ID and client secret. Leave it open — you'll paste those values on the next step.

Paste the credentials

Client ID Client secret

Stored in regstack.secrets.env with mode 0600.

Account-linking policy

When a user signs in with Google for the first time using an email address that already has a regstack account, regstack can either:

Refuse (default). Safer — the user must sign in with their existing password and link the Google account from the account-management page.
Auto-link verified emails. Smoother UX, but trusts Google's email_verified claim.

Auto-link Google sign-ins to existing accounts when the email is verified.

MFA on OAuth sign-in (optional)

When enabled, users with MFA configured will still be challenged for their MFA code after a successful Google sign-in.

Require MFA on every Google sign-in (when the user has MFA set up).

Review

Redirect URI	`—`
Client ID	`—`
Client secret	`—`
Auto-link verified emails	—
Enforce MFA on OAuth	—

Write the configuration

Click Write to merge the values into regstack.toml and regstack.secrets.env.