Authentication & OAuth Providers Created on
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4){kind=small}
Sayr uses Better Auth for authentication. Out of the box it supports email/password login and several OAuth providers. Each provider is opt-in — it only appears in the login UI and settings when the relevant environment variables are set.
How Provider Activation Works
Section titled “How Provider Activation Works”Sayr checks for a provider’s credentials at runtime on the server. If both the client ID and client secret environment variables are present, the provider is enabled and its login button is shown. If either variable is missing or empty, the provider is silently hidden — no configuration or restart beyond setting the variables is required.
This means you can enable or disable any provider at any time by adding or removing its environment variables and restarting your containers.
Supported OAuth Providers
Section titled “Supported OAuth Providers”Sayr is built by the team at Doras — a platform for creators to centralise their links, content, and community. Doras OAuth is the login provider powering Sayr Cloud, and it’s our preferred way to sign in because it ties your Sayr account directly into the broader Doras ecosystem.
Doras OAuth for self-hosted instances is currently in a limited access period while we roll it out carefully. If you’re interested in enabling Doras login on your instance, reach out and we’ll get you set up:
- Email us at hi@doras.to
- Join our Discord at doras.to/discord
Once you have credentials, the setup is the same ENV pattern as the other providers:
Environment variables:
DORAS_CLIENT_ID=your-client-idDORAS_CLIENT_SECRET=your-client-secretGitHub
Section titled “GitHub”GitHub login is the most common choice for self-hosted instances. It also powers the GitHub integration (syncing issues and pull requests).
Create an OAuth App:
- Go to GitHub Developer Settings → OAuth Apps
- Click New OAuth App
- Set the Authorization callback URL to:
https://admin.yourdomain.com/api/auth/callback/github
Environment variables:
GITHUB_CLIENT_ID=your-client-idGITHUB_CLIENT_SECRET=your-client-secretDiscord
Section titled “Discord”Discord login lets users sign in and link their Discord account from Settings → Connections.
Create an OAuth App:
- Go to the Discord Developer Portal
- Create a new application, then open OAuth2 → General
- Add a redirect URL:
https://admin.yourdomain.com/api/auth/callback/discord
Environment variables:
DISCORD_CLIENT_ID=your-client-idDISCORD_CLIENT_SECRET=your-client-secretSlack login uses OpenID Connect. Users can sign in with Slack and link their Slack account from Settings → Connections.
Create a Slack App:
- Go to api.slack.com/apps and create a new app
- Under OAuth & Permissions, add a redirect URL:
https://admin.yourdomain.com/api/auth/callback/slack
- Under OAuth & Permissions → Scopes, add the following User Token Scopes:
openidprofileemail
- Copy the Client ID and Client Secret from the app’s Basic Information page
Environment variables:
SLACK_CLIENT_ID=your-client-idSLACK_CLIENT_SECRET=your-client-secretEmail / Password Login
Section titled “Email / Password Login”Email and password login is always available and does not require any OAuth app. Users can set a password from Settings → Security, and existing accounts can request a password reset email.
To send password reset emails, configure an email provider:
# Supported values: usesend, sendgrid, resendEMAIL_PROVIDER=resendSAYR_EMAIL=your-api-keySAYR_FROM_EMAIL=noreply@yourdomain.comEnabling Multiple Providers
Section titled “Enabling Multiple Providers”All providers work independently — you can enable any combination. For example, to enable both GitHub and Discord login, set all four variables:
GITHUB_CLIENT_ID=...GITHUB_CLIENT_SECRET=...DISCORD_CLIENT_ID=...DISCORD_CLIENT_SECRET=...Users will see a login button for each configured provider.
User Connections (Account Linking)
Section titled “User Connections (Account Linking)”Once signed in, users can connect and disconnect additional providers from Settings → Connections. A provider connection tile only appears if that provider is configured on the server. Sayr prevents users from disconnecting their last remaining login method to avoid account lockout.
Callback URL Reference
Section titled “Callback URL Reference”Use this table when configuring your OAuth apps. Replace admin.yourdomain.com with the actual admin URL for your instance (the value of VITE_URL_ROOT).
| Provider | Callback URL |
|---|---|
| GitHub | https://admin.yourdomain.com/api/auth/callback/github |
| Discord | https://admin.yourdomain.com/api/auth/callback/discord |
| Slack | https://admin.yourdomain.com/api/auth/callback/slack |
| Doras | https://admin.yourdomain.com/api/auth/callback/doras |