Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.edgespark.dev/llms.txt

Use this file to discover all available pages before exploring further.

EdgeSpark keeps auth configuration in configs/auth-config.yaml. This file controls sign-up policy, session behavior, email/password auth, and which OAuth providers are enabled.

Pull, inspect, and apply config

Start from the live project config: 
edgespark auth pull
edgespark auth get
Edit configs/auth-config.yaml, then apply it: 
edgespark auth apply
edgespark deploy
Use edgespark auth get --json when you want the current applied config in machine-readable form.

Typical development flow

When you change auth configuration, use this order:
  1. Run edgespark auth pull if you want to start from the current live config.
  2. Edit configs/auth-config.yaml.
  3. If you are enabling a social OAuth provider, prepare the provider app, redirect URLs, client ID var, and secret first.
  4. Run edgespark auth apply.
  5. Run edgespark deploy so your app uses the updated auth behavior.
For OAuth providers, that usually means:
  • set the client ID with edgespark var set ...
  • set the client secret with edgespark secret set ...
  • reference those keys from configs/auth-config.yaml

Example config

configs/auth-config.yaml
# yaml-language-server: $schema=https://schemas.edgespark.dev/v1/auth-config.schema.json

disableSignUp: false

session:
  expiresIn: 604800
  updateAge: 86400
  disableSessionRefresh: false

providerEmailPassword:
  enabled: true
  config:
    minPasswordLength: 10
    requireEmailVerification: true
    requirePasswordResetEmailVerification: true
    revokeSessionsOnPasswordReset: true

providerGoogle:
  enabled: true
  config:
    clientIdVarRef: GOOGLE_CLIENT_ID
    clientSecretRef: GOOGLE_CLIENT_SECRET

providerGithub:
  enabled: true
  config:
    clientIdVarRef: GITHUB_CLIENT_ID
    clientSecretRef: GITHUB_CLIENT_SECRET

What each section controls

FieldWhat it does
disableSignUpTurns off new account creation globally
session.expiresInSets session lifetime in seconds
session.updateAgeControls how often active sessions refresh
session.disableSessionRefreshDisables automatic session refresh
providerEmailPassword.enabledEnables email/password login
providerEmailPassword.config.*Controls password length, email verification, and password reset behavior
provider<Provider>.enabledEnables an OAuth provider
provider<Provider>.configPoints the provider at the required client ID and secret inputs

Keep OAuth values out of the YAML file

For step-by-step walkthroughs of creating the provider OAuth app, entering the callback URL, and storing the client ID and secret for each of Google, GitHub, GitLab, and Discord, see add social OAuth login. configs/auth-config.yaml can reference vars and secrets, but it should not contain sensitive secret values. For OAuth providers:
ProviderClient ID var keySecret keyExtra config
GoogleGOOGLE_CLIENT_IDGOOGLE_CLIENT_SECRETNone
GitHubGITHUB_CLIENT_IDGITHUB_CLIENT_SECRETNone
GitLabGITLAB_CLIENT_IDGITLAB_CLIENT_SECRETNone
DiscordDISCORD_CLIENT_IDDISCORD_CLIENT_SECRETNone
Set those inputs with the CLI: 
edgespark var set GOOGLE_CLIENT_ID=your-client-id
edgespark secret set GOOGLE_CLIENT_SECRET
When you run edgespark secret set, the secret value never goes through terminal output, agent context, or third-party LLM APIs such as Anthropic, Google, or OpenAI. EdgeSpark opens a secure browser URL so the human owner can enter the value directly.

How this affects your frontend

The managed auth UI in @edgespark/web reads the applied config automatically. After you apply and deploy:
  • enabled OAuth providers appear automatically
  • disabled providers disappear
  • sign-up availability follows disableSignUp
  • verification and password-reset flows follow the email/password config
That lets you keep auth policy in one file instead of hard-coding it into your frontend.

Troubleshooting

  • If edgespark auth apply fails, check for unknown fields or wrong fixed ref names such as GOOGLE_CLIENT_SECRET.
  • If validation errors mention unsupported or newer fields, compare your file against https://schemas.edgespark.dev/v1/auth-config.schema.json and update the CLI with npm update -g @edgespark/cli.
  • If a provider is enabled but login still fails, make sure both the var and secret exist in the target environment.
  • If the UI still shows old provider settings, deploy after applying the config.

See also

Build auth UI

Use the managed @edgespark/web auth UI so provider and sign-up settings flow straight from project config.

Development workflow

See where auth config fits into the repo-based loop for schema, storage, vars, secrets, and deploys.
Last modified on April 16, 2026