Skip to main content

Authentication

Use kittl.auth to run OAuth from a sandboxed extension without exposing secrets in the client.

Setup

Declare your OAuth provider in the extension manifest.

Example:

{
  oauthProviders: {
    myProvider: {
      client_id: 'client_id_from_provider',
      scope: 'example:read,example:write',
      authorization_url: 'https://myAuthProvider.com/oauth2/authorize',
      access_type: 'offline',
      token_url: 'https://myAuthProvider.com/oauth2/token',
    },
  },
}

Trigger the auth flow

const provider = 'myProvider';

const { code, code_verifier } = await kittl.auth.startAuth({
  provider,
  // Recommended when your provider supports OAuth 2.1 / PKCE
  generatePKCE: true,
});

// Exchange the auth code for tokens
const resp = await kittl.auth.exchangeCode({
  code,
  provider,
  code_verifier,
});

// resp contains the provider token response payload

Restore token on reload

On extension mount, check if a token is already stored:

const provider = 'myProvider';
const token = await kittl.auth.getAuthToken({ provider });

if (token) {
  // Already authenticated
}

Logout

await kittl.auth.logout({ provider: 'myProvider' });

Omit provider to clear all provider tokens for the extension.

Backend proxy and provider limitations

If your provider does not support PKCE, run a backend proxy for token exchange so your client secret stays server-side.

In general:

  • Prefer OAuth with PKCE (generatePKCE: true)
  • Keep secrets off the extension client
  • Use your backend for provider-specific token handling when needed