OAuth
Google sign-in. Two endpoints — only the first is meant to be hit by
a browser (window.location = ...). The second is the redirect target
Google calls; your code should never invoke it directly.
| Method | Path | Caller |
|---|---|---|
GET | /v1/auth/oauth/google/start | Browser navigation |
GET | /v1/auth/oauth/google/callback | Google (server-to-browser redirect) |
GET /v1/auth/oauth/google/start
Begins the OAuth flow. Generates a CSRF state token, sets it in an
HttpOnly cookie (oligon_oauth_state), then 302-redirects the
browser to Google's consent screen with scope=openid email profile.
Query parameters
| Name | Type | Required | Notes |
|---|---|---|---|
next | string | no | Path on the portal to land on after success. Defaults to /dashboard. Must start with /. |
<a href="https://api.receipts.oligontech.com/v1/auth/oauth/google/start?next=/settings">
Sign in with Google
</a>Errors
| Status | Code | Cause |
|---|---|---|
| 400 | validation_error | Google OAuth not configured (GOOGLE_CLIENT_ID / secret missing on the server). |
GET /v1/auth/oauth/google/callback
Google redirects here with ?code=...&state=.... The server:
- Validates
stateagainst the cookie. - Exchanges
codefor a Google access token. - Fetches the user profile (
/oauth2/v3/userinfo). - Upserts a
User(bygoogle_sub, then byemail). - If the user has no membership, creates an
Org+Subscription+ ownerMembershipon the fly. - Sets
oligon_accessandoligon_refreshcookies. 302-redirects toPORTAL_BASE_URL+next(defaults to/dashboard).
Errors
| Status | Code | Cause |
|---|---|---|
| 401 | authentication_failed | state mismatch, Google email not verified, or missing profile fields. |
| 502 | external_service_error | Token exchange or userinfo call to Google failed. |
There is no JSON response — the endpoint always either redirects or raises an error envelope.