Google One-tap lets users sign in with a single tap using their Google account. The frontend shows Google’s prompt, the backend verifies the ID token via Google’s JWKS. No Google SDK needed server-side.
Setup
import { createKavach } from 'kavachos';
import { oneTap } from 'kavachos/auth';
const kavach = await createKavach({
database: { provider: 'sqlite', url: 'kavach.db' },
plugins: [
oneTap({ clientId: process.env.GOOGLE_CLIENT_ID }),
],
});
Add Google’s script to your frontend
<script src="https://accounts.google.com/gsi/client" async></script>
<div id="g_id_onload"
data-client_id="YOUR_CLIENT_ID"
data-login_uri="/api/kavach/auth/one-tap/callback"
data-auto_prompt="true">
</div>
How it works
- Google’s JS shows a sign-in prompt on your page
- User taps their Google account
- Google sends a
credential (JWT ID token) to your callback
- KavachOS verifies the JWT against Google’s JWKS (
https://www.googleapis.com/oauth2/v3/certs)
- Validates audience, issuer, expiry, and CSRF token
- Creates or links the user, returns a session
CSRF protection
Google sends a g_csrf_token cookie with the request. KavachOS validates that the cookie value matches the g_csrf_token field in the POST body.
Config
| Option | Type | Default | Description |
|---|
clientId | string | required | Google OAuth client ID |
autoCreateUser | boolean | true | Create user if not found |
csrfCookieName | string | "g_csrf_token" | CSRF cookie name |
Endpoint
| Method | Path | Description |
|---|
| POST | /auth/one-tap/callback | Verify ID token, create session |
Google One-tap requires HTTPS in production. It works on localhost for development.
