Social Login Setup
Prism supports social login via GitHub, Google, Microsoft, and Discord. Each provider requires you to register an OAuth application in their developer console, then enter the credentials in Admin → Settings → Social Login.
All callback URLs follow this pattern:
https://<your-prism-domain>/api/connections/<provider>/callbackGitHub
1. Create a GitHub OAuth App
Go to GitHub Developer Settings → OAuth Apps and click New OAuth App.
Fill in the form:
Field Value Application name Your site name Homepage URL https://your-prism-domainAuthorization callback URL https://your-prism-domain/api/connections/github/callbackClick Register application.
On the app page, copy the Client ID.
Click Generate a new client secret and copy the secret immediately — it is only shown once.
2. Enter credentials in Prism
Go to Admin → Settings → Social Login and paste the Client ID and Client Secret into the GitHub fields. Save.
GitHub login will appear on the login and registration pages immediately.
Notes
- GitHub OAuth Apps grant access to public profile info and email by default. Prism requests the
user:emailscope to ensure the email is always returned even if it is set to private. - If a GitHub user has no public email and their email is private, GitHub returns a list of emails — Prism picks the primary verified one.
- GitHub does not support OpenID Connect. Prism uses their REST API (
/user,/user/emails) to fetch the profile.
Google
1. Create a Google OAuth 2.0 Client
Open the Google Cloud Console and select or create a project.
Go to APIs & Services → Credentials and click Create Credentials → OAuth client ID.
If prompted, configure the OAuth consent screen first:
- User type: External (unless this is a Google Workspace internal app)
- Add your domain to Authorized domains
- Add scopes:
openid,email,profile
Back in Create OAuth client ID:
Field Value Application type Web application Authorized JavaScript origins https://your-prism-domainAuthorized redirect URIs https://your-prism-domain/api/connections/google/callbackCopy the Client ID and Client Secret.
2. Enter credentials in Prism
Go to Admin → Settings → Social Login and paste into the Google fields. Save.
Notes
- Google uses OpenID Connect. Prism requests the
openid email profilescopes. - New Google Cloud projects start with the consent screen in testing mode, which limits login to test users you explicitly add. Publish the consent screen to allow any Google account to log in.
- If your app is unverified, Google shows a warning screen. Submit for verification if you expect external users.
Microsoft
1. Register an Azure AD Application
Open the Azure Portal → App registrations and click New registration.
Fill in the form:
Field Value Name Your site name Supported account types Accounts in any organizational directory and personal Microsoft accounts (for broadest compatibility) Redirect URI Platform: Web — https://your-prism-domain/api/connections/microsoft/callbackClick Register.
On the Overview page, copy the Application (client) ID.
Go to Certificates & secrets → New client secret, set an expiry, and copy the Value (not the Secret ID).
2. Enter credentials in Prism
Go to Admin → Settings → Social Login and paste into the Microsoft fields. Save.
Notes
- Prism requests the
openid email profilescopes via thecommontenant endpoint, so both personal (Outlook/Hotmail) and work/school (Azure AD) accounts can log in. - If you restrict Supported account types to a single tenant, only users in that Azure AD tenant can authenticate.
- Client secrets expire. Set a calendar reminder to rotate the secret before it expires — an expired secret will break Microsoft login silently.
Discord
1. Create a Discord Application
- Open the Discord Developer Portal and click New Application.
- Give it a name and click Create.
- Go to OAuth2 → General:
- Copy the Client ID.
- Click Reset Secret, confirm, and copy the Client Secret.
- Under Redirects, click Add Redirect and enter:
https://your-prism-domain/api/connections/discord/callback
- Save changes.
2. Enter credentials in Prism
Go to Admin → Settings → Social Login and paste into the Discord fields. Save.
Notes
- Prism requests the
identify emailscopes.identifygives access to the user's username and avatar;emailgives their verified email address. - Discord usernames are unique. If a Discord user has no email set (rare for verified accounts), Prism will reject the login with an error asking the user to add an email to their Discord account.
- Discord does not support OpenID Connect. Prism uses their REST API (
/users/@me) to fetch the profile.
Local development
For local testing, register a separate OAuth app per provider using http://localhost:8787 as the domain:
| Provider | Callback URL |
|---|---|
| GitHub | http://localhost:8787/api/connections/github/callback |
http://localhost:8787/api/connections/google/callback | |
| Microsoft | http://localhost:8787/api/connections/microsoft/callback |
| Discord | http://localhost:8787/api/connections/discord/callback |
TIP
Some providers (Google, Microsoft) require HTTPS for production redirect URIs but allow http://localhost for development. GitHub and Discord allow plain HTTP localhost URIs as well.
Add the development credentials to your .dev.vars file by setting them through Admin → Settings → Social Login while running pnpm worker:dev, or set them directly in the database:
wrangler d1 execute prism-db --local --command \
"UPDATE site_config SET value = '\"your-dev-client-id\"' WHERE key = 'github_client_id'"Troubleshooting
Redirect URI mismatch — The callback URL registered with the provider must match exactly (including trailing slashes and http/https). Check APP_URL in wrangler.jsonc matches the domain you registered.
User gets a new account on every login — Social connections are matched by (provider, provider_user_id). If the user logged in with a different Prism account before, they will be connected to that account. Use Profile → Connections to link providers to an existing account.
Email already taken on first social login — If an account with the same email already exists (from password registration), Prism rejects the social login with a conflict error. The user must log in with their password first, then connect the social provider from Profile → Connections.