> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Google

> Wire Google OAuth 2.0 and OpenID Connect into KavachOS. Covers Cloud Console setup, People API, consent screen configuration, and profile scope access.

## Get credentials

<Steps>
  <Step>
    ### Create a project

    Go to [Google Cloud Console](https://console.cloud.google.com/) and create a new project (or select an existing one).
  </Step>

  <Step>
    ### Enable the People API

    Navigate to **APIs and Services > Library**, search for "Google People API", and enable it. This lets KavachOS fetch the user's name and profile picture.
  </Step>

  <Step>
    ### Create OAuth credentials

    Go to **APIs and Services > Credentials > Create Credentials > OAuth client ID**.

    * Application type: **Web application**
    * Authorized redirect URIs: `https://auth.example.com/auth/oauth/google/callback`

    Copy the **Client ID** and **Client Secret**.
  </Step>

  <Step>
    ### Configure the consent screen

    Under **OAuth consent screen**, set the app name, support email, and authorized domain. For production, submit for verification if you need access to sensitive scopes.
  </Step>
</Steps>

## Configuration

```typescript title="lib/kavach.ts" theme={"system"}
import { createKavach } from 'kavachos';
import { oauth } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://auth.example.com',
  plugins: [
    oauth({
      providers: [
        {
          id: 'google', // [!code highlight]
          clientId: process.env.GOOGLE_CLIENT_ID!, // [!code highlight]
          clientSecret: process.env.GOOGLE_CLIENT_SECRET!, // [!code highlight]
        },
      ],
    }),
  ],
});
```

Add to your environment:

```bash theme={"system"}
GOOGLE_CLIENT_ID=...apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...
```

## Scopes

Default scopes: `openid email profile`

These give you name, email, and profile picture. To request additional permissions:

```typescript theme={"system"}
{
  id: 'google',
  clientId: process.env.GOOGLE_CLIENT_ID!,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
  scopes: ['openid', 'email', 'profile', 'https://www.googleapis.com/auth/calendar.readonly'],
}
```

<Info>
  Extra scopes beyond `openid email profile` require your app to complete Google's verification process before they work for users outside your organization.
</Info>

## User data returned

| Field   | Source          | Notes                 |
| ------- | --------------- | --------------------- |
| `id`    | `sub` claim     | Stable Google user ID |
| `email` | `email` claim   | Verified by Google    |
| `name`  | `name` claim    | Full display name     |
| `image` | `picture` claim | Profile photo URL     |

## Initiating sign-in

Redirect users to:

```
GET /auth/oauth/google/authorize
```

Or add a query parameter to control the post-sign-in destination:

```
GET /auth/oauth/google/authorize?redirectTo=/dashboard
```