Social login is enabled by your operator (organization), and each
organization uses its own Google/Apple/Microsoft/Meta apps, so the user
sees YOUR brand on the consent screen. Check which providers are active
with
GET /v1/auth/oauth/providers.1. Discover the enabled providers
To render the right buttons, your front end asks which providers are active and with whichclient_id:
client_id is not secret.
2. Get the credential in your front end
Each provider hands you a credential through its own SDK. Minimal examples:- Google
- Apple
- Microsoft
- Meta (Facebook)
With Google Identity Services:
3. Exchange the credential for a session
201:
200 with access_token,
account_id and role (same as password login).
The type field (person | company, default person) is only used when
creating the account; it is ignored if the account already exists.
How create vs. sign-in is decided
4. Social login and 2FA
If the account has OTP enabled on login (security and 2FA), social login respects that second step: instead of the session,POST /v1/auth/oauth returns
otp_required: true + pending_token, and you complete it with
POST /v1/auth/login/otp just like password login.
5. Link and unlink providers
A signed-in user can manage their sign-in methods:409 last_login_method (set a password or link another provider first).
Errors
FAQ
Do I need to handle redirects or OAuth callbacks?
Do I need to handle redirects or OAuth callbacks?
No. The consent flow happens in your front end with the provider SDK;
you only send the resulting credential to CBPay. There are no callback
pages or server-side state.
What if the provider does not return a verified email?
What if the provider does not return a verified email?
No automatic linking by email (prevents someone from claiming another
person’s email). A standalone account tied to that identity is created;
the user can add email/password later.
Is the provider credential usable as a CBPay token?
Is the provider credential usable as a CBPay token?
No. The provider credential is used once to verify you; every following
call uses the CBPay
access_token.