> ## Documentation Index
> Fetch the complete documentation index at: https://docs.edgespark.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Manage EdgeSpark auth configuration
> Configure EdgeSpark auth providers, session settings, sign-up policy, vars, and secret refs through configs/auth-config.yaml.
EdgeSpark keeps auth configuration in `configs/auth-config.yaml`. This file controls sign-up policy, session behavior, email/password auth, and which OAuth providers are enabled.
## Pull, inspect, and apply config
Start from the live project config:
```bash theme={null}
edgespark auth pull
edgespark auth get
```
Edit `configs/auth-config.yaml`, then apply it:
```bash theme={null}
edgespark auth apply
edgespark deploy
```
Use `edgespark auth get --json` when you want the current applied config in machine-readable form.
## Typical development flow
When you change auth configuration, use this order:
1. Run `edgespark auth pull` if you want to start from the current live config.
2. Edit `configs/auth-config.yaml`.
3. If you are enabling a social OAuth provider, prepare the provider app, redirect URLs, client ID var, and secret first.
4. Run `edgespark auth apply`.
5. Run `edgespark deploy` so your app uses the updated auth behavior.
For OAuth providers, that usually means:
* set the client ID with `edgespark var set ...`
* set the client secret with `edgespark secret set ...`
* reference those keys from `configs/auth-config.yaml`
## Example config
```yaml configs/auth-config.yaml theme={null}
# yaml-language-server: $schema=https://schemas.edgespark.dev/v1/auth-config.schema.json
disableSignUp: false
session:
expiresIn: 604800
updateAge: 86400
disableSessionRefresh: false
providerEmailPassword:
enabled: true
config:
minPasswordLength: 10
requireEmailVerification: true
requirePasswordResetEmailVerification: true
revokeSessionsOnPasswordReset: true
providerGoogle:
enabled: true
config:
clientIdVarRef: GOOGLE_CLIENT_ID
clientSecretRef: GOOGLE_CLIENT_SECRET
providerGithub:
enabled: true
config:
clientIdVarRef: GITHUB_CLIENT_ID
clientSecretRef: GITHUB_CLIENT_SECRET
```
## What each section controls
| Field | What it does |
| ---------------------------------------- | ------------------------------------------------------------------------- |
| `disableSignUp` | Turns off new account creation globally |
| `session.expiresIn` | Sets session lifetime in seconds |
| `session.updateAge` | Controls how often active sessions refresh |
| `session.disableSessionRefresh` | Disables automatic session refresh |
| `providerEmailPassword.enabled` | Enables email/password login |
| `providerEmailPassword.config.*` | Controls password length, email verification, and password reset behavior |
| provider\.enabled | Enables an OAuth provider |
| provider\.config | Points the provider at the required client ID and secret inputs |
## Keep OAuth values out of the YAML file
For step-by-step walkthroughs of creating the provider OAuth app, entering the callback URL, and storing the client ID and secret for each of Google, GitHub, GitLab, and Discord, see [add social OAuth login](/guides/social-login).
`configs/auth-config.yaml` can reference vars and secrets, but it should not contain sensitive secret values.
For OAuth providers:
| Provider | Client ID var key | Secret key | Extra config |
| -------- | ------------------- | ----------------------- | ------------ |
| Google | `GOOGLE_CLIENT_ID` | `GOOGLE_CLIENT_SECRET` | None |
| GitHub | `GITHUB_CLIENT_ID` | `GITHUB_CLIENT_SECRET` | None |
| GitLab | `GITLAB_CLIENT_ID` | `GITLAB_CLIENT_SECRET` | None |
| Discord | `DISCORD_CLIENT_ID` | `DISCORD_CLIENT_SECRET` | None |
Set those inputs with the CLI:
```bash theme={null}
edgespark var set GOOGLE_CLIENT_ID=your-client-id
edgespark secret set GOOGLE_CLIENT_SECRET
```
When you run `edgespark secret set`, the secret value never goes through terminal output, agent context, or third-party LLM APIs such as Anthropic, Google, or OpenAI. EdgeSpark opens a secure browser URL so the human owner can enter the value directly.
## How this affects your frontend
The managed auth UI in `@edgespark/web` reads the applied config automatically. After you apply and deploy:
* enabled OAuth providers appear automatically
* disabled providers disappear
* sign-up availability follows `disableSignUp`
* verification and password-reset flows follow the email/password config
That lets you keep auth policy in one file instead of hard-coding it into your frontend.
## Troubleshooting
* If `edgespark auth apply` fails, check for unknown fields or wrong fixed ref names such as `GOOGLE_CLIENT_SECRET`.
* If validation errors mention unsupported or newer fields, compare your file against `https://schemas.edgespark.dev/v1/auth-config.schema.json` and update the CLI with `npm update -g @edgespark/cli`.
* If a provider is enabled but login still fails, make sure both the var and secret exist in the target environment.
* If the UI still shows old provider settings, deploy after applying the config.
## See also
Use the managed `@edgespark/web` auth UI so provider and sign-up settings flow straight from project config.
See where auth config fits into the repo-based loop for schema, storage, vars, secrets, and deploys.