Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kavachos.com/llms.txt

Use this file to discover all available pages before exploring further.

Google One-tap lets users sign in with a single tap using their Google account. The frontend shows Google’s prompt, the backend verifies the ID token via Google’s JWKS. No Google SDK needed server-side.

Setup

1

Get a client ID

Go to the Google Cloud Console, create an OAuth 2.0 credential, copy the Client ID.
2

Configure the plugin

import { createKavach } from 'kavachos';
import { oneTap } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'sqlite', url: 'kavach.db' },
  plugins: [
    oneTap({ clientId: process.env.GOOGLE_CLIENT_ID }),
  ],
});
3

Add Google’s script to your frontend

<script src="https://accounts.google.com/gsi/client" async></script>
<div id="g_id_onload"
  data-client_id="YOUR_CLIENT_ID"
  data-login_uri="/api/kavach/auth/one-tap/callback"
  data-auto_prompt="true">
</div>

How it works

  1. Google’s JS shows a sign-in prompt on your page
  2. User taps their Google account
  3. Google sends a credential (JWT ID token) to your callback
  4. KavachOS verifies the JWT against Google’s JWKS (https://www.googleapis.com/oauth2/v3/certs)
  5. Validates audience, issuer, expiry, and CSRF token
  6. Creates or links the user, returns a session

CSRF protection

Google sends a g_csrf_token cookie with the request. KavachOS validates that the cookie value matches the g_csrf_token field in the POST body.

Config

OptionTypeDefaultDescription
clientIdstringrequiredGoogle OAuth client ID
autoCreateUserbooleantrueCreate user if not found
csrfCookieNamestring"g_csrf_token"CSRF cookie name

Endpoint

MethodPathDescription
POST/auth/one-tap/callbackVerify ID token, create session
Google One-tap requires HTTPS in production. It works on localhost for development.
Last modified on April 29, 2026