# Google as your sign in option

Scalekit enables apps to easily let users sign in using Google as their social connector. This guide walks you through the process of setting up the connection between Scalekit and Google, and using the Scalekit SDK to add "Sign in with Google" to your application.

By the end of this guide, you will be able to:

1. Test Google sign-in without setting up Google OAuth credentials (dev only)
2. Set up an OAuth 2.0 connection between Scalekit and Google
3. Implement 'Sign in with Google' in your application using the Scalekit SDK

## Set up Google connection

### Access social login settings

Open your Scalekit dashboard and navigate to Social Login under the Authentication section.

![Scalekit dashboard showcasing social login setup with various platform integration options.](@/assets/docs/guides/social-connections/google-social/1-navigate-to-social-logins.png)

### Add Google connection

Click the "+ Add Connection" button and select Google from the list of available options.

![Add social login connections: Google, Microsoft, GitHub, GitLab, Salesforce.](@/assets/docs/guides/social-connections/google-social/2-list-social-logins.png)

## Test with Scalekit credentials

For faster development and testing, Scalekit provides pre-configured Google OAuth credentials, allowing you to test the authentication flow without setting up your own Google OAuth client.

This is particularly useful when you want to quickly validate Google sign-in functionality in your app without dealing with OAuth setup. It also helps if you're still in the early stages of development and don't have Google credentials yet, or if you need to test the behavior before setting up a production-ready connection.

Under OAuth Configuration, select **Use Scalekit credentials** and **save** the changes. Once done, you can now directly test the setup by clicking **Test Connection**.

![Use Scalekit credentials to test connection](@/assets/docs/guides/social-connections/google-social/2-1-test-scalekit-credentials.png)

## Set up with your own credentials

### Configure OAuth settings

The OAuth Configuration details page helps you set up the connection:

- Note the **Redirect URI** provided for your app. You'll use this URL to register with Google.
- **Client ID** and **Client Secret** are generated by Google when you register an OAuth App. They enable Scalekit to authenticate your app and establish trust with Google.

### Get Google OAuth client credentials

1. Open the <a href="https://console.cloud.google.com/" target="_blank" rel="noopener">Google Cloud Platform Console</a>. From the projects list, select an existing project or create a new one.

2. Navigate to the <a href="https://console.cloud.google.com/auth/overview" target="_blank" rel="noopener">Google Auth Platform's overview page</a>.
   - Click **Get Started** and provide details such as app information, audience, and contact information.
   - **Important**: Select **External** audience type. You must use External for social login because:
     - **Internal** only works for whitelisted Google Workspace accounts (your own employees)
     - **External** allows anyone with a Google account to sign in to your app
     - **Internal** cannot be used for public-facing authentication
   - Complete the process by clicking **Create**.

3. On the "Overview" page, click the **Create OAuth Client** button to start setting up your app's OAuth client.

4. Choose the appropriate application type (e.g., web application) from the dropdown menu.

5. Copy the redirect URI from your Google Social Login configuration and paste it into the **Authorized Redirect URIs** field. The URI should follow this format (for development environment): `https://{your-subdomain}.scalekit.dev`.

6. **Save and retrieve credentials**: Click **Save** to finalize the setup. You will be redirected to a list of Google OAuth Clients. Select the newly created client and copy the **Client ID** and **Client Secret** from the additional information section.

7. **Enter credentials in social login configuration**: Paste the copied client credentials into their respective fields on your Google Social Login page.

8. Click **Test Connection** to simulate and verify the Google Sign-In flow.
**Google OAuth consent screen behavior:** Before using custom credentials in production, understand what users will see on Google's consent screen:

| Audience Type | Consent Screen Behavior | When To Use |
|--------------|------------------------|-------------|
| **Internal** | Shows your App Name and logo from Branding settings | Only for your own employees using whitelisted Google Workspace domains |
| **External** | Shows `{env_name}.scalekit.dev` domain until Google verifies your app | For public users—anyone with a Google account can sign in |

**Why you must use External for social login:**

- **Internal** restricts access to pre-approved email domains you control. Public users with `@gmail.com` or other Google accounts cannot sign in.
- **External** is required because social login is for anyone, not just your employees.
- Until Google completes verification of your External app, users see `scalekit.dev` instead of your custom domain. After verification, your App Name and logo appear on the consent screen.

**Note:** This is Google's OAuth behavior—not Scalekit's. The verification is separate from Scalekit's domain verification for Enterprise SSO.

For Google's verification requirements and timeline, refer to <a href="https://support.google.com/cloud/answer/13463073" target="_blank" rel="noopener">Google's OAuth consent screen verification guide</a>.

![Google OAuth configuration in Scalekit, showing redirect URI, client credentials, and scopes for social login setup.](@/assets/docs/common/social-connections/3-google-oauth-config.png)

- Use the Redirect URI from Scalekit as the Callback URL in Google's setup
- Copy the generated Client ID and Client Secret into the Scalekit Dashboard

After completing the setup, click "Save Changes" in Scalekit for the changes to take effect.

![Google OAuth configuration for social login, showing redirect URI, client ID, and scopes for authentication.](@/assets/docs/guides/social-connections/google-social/4-after-oauth-config.png)

### Configure login prompt behavior

Scalekit offers flexibility to control how and when users are prompted for reauthentication, consent, or account selection. Below are the available options for customizing user sign-in behavior:

- **Auto sign-in (default)**:
  Automatically completes the login process without showing any confirmation prompts. This is ideal for single Google account users who are already logged in and have previously provided consent.

- **Consent**:
  The authorization server prompts the user for consent before returning information to the client.

- **Select account**:
  The authorization server prompts the user to select a user account. This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.

- **None**:
  The authorization server does not display any authentication or user consent screens; it will return an error if the user is not already authenticated and has not pre-configured consent for the requested scopes. You can use none to check for existing authentication and/or consent.

## Verify the connection

Click the "Test Connection" button in Scalekit. You will be redirected to the Google Consent screen to authorize access. A summary table will show the information that will be sent to your app.

![Test connection success](@/assets/docs/guides/social-connections/google-social/5-successful-test-connection.png)