Skip to main content

Get credentials

1

Create an application

For gitlab.com: Go to gitlab.com/-/profile/applications.For a self-hosted instance: Go to your instance URL, then User Settings > Applications.
  • Name: your app name
  • Redirect URI: https://auth.example.com/auth/oauth/gitlab/callback
  • Scopes: check read_user and email
2

Copy credentials

After saving, copy the Application ID and Secret.

Configuration

lib/kavach.ts
import { createKavach } from 'kavachos';
import { oauth } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    oauth({
      providers: [
        {
          id: 'gitlab', 
          clientId: process.env.GITLAB_CLIENT_ID!, 
          clientSecret: process.env.GITLAB_CLIENT_SECRET!, 
        },
      ],
    }),
  ],
});

GITLAB_CLIENT_ID=...
GITLAB_CLIENT_SECRET=...

Scopes

Default scopes: read_user email
ScopeWhat it unlocks
read_userRead the user’s profile
emailRead the user’s primary email
read_apiRead access to the API
read_repositoryRead repository data

User data returned

FieldSourceNotes
idid fieldStable numeric GitLab user ID
emailemail fieldPrimary email
namename fieldDisplay name
imageavatar_url fieldProfile picture URL
For self-hosted GitLab instances, make sure your KavachOS server can reach the GitLab API. If you are behind a VPN or firewall, the token exchange and user info calls will fail if the instance is not reachable from your server.
Last modified on April 18, 2026