Configure Google SSO
Let users sign in with Google — create OAuth credentials and point TapTally at them.
TapTally supports Sign in with Google alongside email/password login. Enabling it is a backend configuration change: you create an OAuth Client ID in Google Cloud and set it on the backend. Nothing secret is stored, and the frontend needs no rebuild — it discovers the setting at runtime.
How it works: the login screen shows a Google button that returns a signed ID token; the backend verifies that token against Google's public keys (checking the audience matches your client ID) and then issues the usual TapTally session. A Google client secret is not required.
1. Create Google OAuth credentials
In the Google Cloud Console:
- Create (or select) a project.
- Open APIs & Services → OAuth consent screen and configure it. Choose External for a public deployment, or Internal to restrict sign-in to your Google Workspace org.
- Open APIs & Services → Credentials → Create Credentials → OAuth client ID.
- Choose application type Web application.
- Under Authorized JavaScript origins, add the origin(s) where the TapTally frontend is
served — for example
http://localhost:5173for local development andhttps://taptally.example.comfor production. (No redirect URI is needed for the sign-in button.) - Create the client and copy the Client ID (it ends in
.apps.googleusercontent.com).
Add every origin your frontend is served from. Google rejects the sign-in attempt if the page origin is not in this list.
2. Configure the backend
Set the Client ID on the backend. Any value can be provided as a TAPTALLY_-prefixed
environment variable (Secret) or in config.yaml (ConfigMap).
| Parameter | Description | Default |
|---|---|---|
config.google_client_id |
Google OAuth Web Client ID. Enables Google SSO when set. | "" |
config.google_allowed_domains |
Optional email-domain allowlist (comma-separated). Empty = allow all. | "" |
Environment variable form:
TAPTALLY_GOOGLE_CLIENT_ID=1234567890-abcdef.apps.googleusercontent.com
# Optional — restrict to one or more email domains:
TAPTALLY_GOOGLE_ALLOWED_DOMAINS=example.com,example.orgconfig.yaml form:
google_client_id: "1234567890-abcdef.apps.googleusercontent.com"
# Optional email-domain allowlist (empty = allow any Google account):
google_allowed_domains:
- example.com
- example.orgRestart the backend after changing the value.
3. Verify
-
Call the public config endpoint — it should report SSO as enabled:
curl https://api.taptally.example.com/v1/auth/config # {"google_enabled": true, "google_client_id": "…apps.googleusercontent.com"} -
Open the login screen: a Sign in with Google button now appears under the email/password form. Completing Google sign-in logs you straight into the dashboard.
Provisioning and account linking
- The first time someone signs in with a Google-verified email, TapTally creates an account automatically.
- If an account with that email already exists (for example a password account), Google sign-in links to it rather than creating a duplicate.
- With
google_allowed_domainsset, only emails in the listed domains may sign in; everyone else is rejected.
Security notes
- The Google ID token is verified server-side against Google's public keys, with the audience pinned to your
google_client_id— a token minted for another app is rejected.- Only Google accounts whose email is verified are accepted.
- No client secret is stored, and the client ID returned by
/v1/auth/configis public by design (it is part of the OAuth flow).- Use
google_allowed_domainsto limit sign-in to your organization's domains.- Leaving
google_client_idempty disables Google SSO entirely; email/password login is unaffected.
Found an issue in the docs? Open an issue on GitHub.