Auth Configuration

Control how users sign in to your application. AscendKit supports multiple authentication methods that you can enable and combine without changing your app code — credentials (email/password), magic-link passwordless auth, and social OAuth providers.

Supported providers: credentials (email/password), magic-link (passwordless email link), google, github, apple, discord, microsoft

Configurable features:

• Email verification — require users to verify their email before signing in
• Password reset — let users reset their password via email
• Waitlist — hold new signups for manual approval before granting access
• Session duration — how long a user stays signed in
• Domain allowlist — restrict signups to specific email domains (e.g., company.com)
• Block personal domains — block signups from consumer email providers (Gmail, Yahoo, etc.)

Social OAuth providers work immediately in dev and beta environments using AscendKit's managed credentials. In production, or when you want your own branding on the consent screen, you can configure your own OAuth client credentials.

View current settings

ascendkit auth show

Shows enabled providers, feature flags, and session duration.

Update settings

ascendkit auth update --providers credentials,google,github --email-verification true --session-duration 30d

Manage providers

Show enabled providers:

ascendkit auth provider list

Set the provider list:

ascendkit auth provider set credentials,google,github

Use magic-link in the provider list when you want passwordless email-link sign-in:

ascendkit auth provider set magic-link,google

Configure OAuth credentials

When you enable a social provider (Google, GitHub, etc.), it works immediately using AscendKit's managed credentials in dev and beta environments. You can optionally configure your own OAuth credentials when you want your own branding on the consent screen.

CLI-based setup

# Recommended: pass secret via stdin (avoid shell history)
echo "$GOOGLE_CLIENT_SECRET" | ascendkit auth oauth set google \
  --client-id "$GOOGLE_CLIENT_ID" \
  --client-secret-stdin

# Alternate: direct flag (less secure; may be stored in shell history)
ascendkit auth oauth set google \
  --client-id "$GOOGLE_CLIENT_ID" \
  --client-secret "$GOOGLE_CLIENT_SECRET"

When using your own credentials, set APP_URL for the environment first. AscendKit derives the redirect URI you need to register in the provider's developer console:

https://<APP_URL>/api/auth/callback/{provider}

Domain restrictions

Restrict which email domains can sign up. Useful for employee-only apps or B2B products that need business email addresses.

Allow specific domains only

ascendkit auth update --allowed-domains company.com,partner.org

Only users with email addresses from these domains can sign up. Existing users are unaffected.

Block personal email providers

ascendkit auth update --block-personal-domains true

Blocks signups from consumer email providers (Gmail, Yahoo, Hotmail, Outlook, etc.). AscendKit maintains the blocklist.

Combine both

When both are set, the allowlist takes precedence — personal domain blocking has no additional effect.

Clear restrictions

ascendkit auth update --allowed-domains ""
ascendkit auth update --block-personal-domains false

Domain restrictions apply to all signup methods including OAuth. The email returned by the OAuth provider is checked against the same rules.

Manage users

ascendkit auth user list
ascendkit auth user list --unsubscribed
ascendkit auth user remove usr_abc123
ascendkit auth user reactivate usr_abc123

ascendkit auth user list shows a derived Status column for each user returned by the command:

• active
• deactivated
• waitlisted
• rejected
• unsubscribed

Use --unsubscribed to list only users who opted out of campaigns.