Social Login

Social sign-in lets end users authenticate with an external identity provider. Your application completes the OAuth or OIDC flow with the provider in the browser or native app, obtains an id_token, and sends that token to Noma to exchange for project user session tokens.

POST /api/auth/login/social

Include the usual headers:

project-id: <your-project-uuid>
Content-Type: application/json
Accept: application/json

Request body

Validation rejects unknown or disabled providers with 422.

Successful response

200 OK — Same shape as password sign-in: access_token, token_type, expires_at, optional refresh fields, and user.

401 — Invalid social login. The token could not be verified or did not match policy (wrong audience, issuer, and so on).

403 — Email verification required before a session can be issued; may include verification_token for your app to complete verification.

Google (example)

At a high level:

1. Register an OAuth client with Google and obtain a client ID (and client secret for server-side flows if you use them).
2. Run the Google sign-in flow so your frontend receives an ID token (credential or OAuth response).
3. POST /api/auth/login/social with provider: "google" and id_token: "<id_token>".

The server validates the JWT using the provider’s JWKS, checks issuer and audience against configured allowed client IDs, and links or creates a project user for that email.

Exact environment and dashboard settings for allowed client IDs are part of your deployment; consult your project operator or internal runbook if tokens are rejected.

JavaScript SDK

import { createClient } from "@nomacms/js-sdk"
 
const noma = createClient({
  projectId: process.env.NOMA_PROJECT_ID!,
  projectUserAuth: { autoRefresh: true },
})
 
await noma.signInWithSocial({
  provider: "google",
  id_token: idTokenFromGoogle,
  nonce: optionalNonce,
})

Related

• Sign Up & Sign In — Email and password flows.
• Session Management — Refresh and logout after social sign-in.