Skip to main content
Your users can sign up and sign in with Google, Apple, Microsoft or Facebook — no passwords to create or remember. CBPay uses the token exchange model: the “Continue with…” button lives in your front end, the user approves at the provider, your front end receives a credential and passes it to the API; CBPay verifies it cryptographically and returns the session.
Social login is enabled by your operator (organization), and each organization uses its own Google/Apple/Microsoft/Meta apps, so the user sees YOUR brand on the consent screen. Check which providers are active with GET /v1/auth/oauth/providers.

1. Discover the enabled providers

To render the right buttons, your front end asks which providers are active and with which client_id:
It is a public endpoint (no token needed): the client_id is not secret.

2. Get the credential in your front end

Each provider hands you a credential through its own SDK. Minimal examples:
With Google Identity Services:

3. Exchange the credential for a session

New user → the account is created and returns 201:
Existing user → signs in and returns 200 with access_token, account_id and role (same as password login). The type field (person | company, default person) is only used when creating the account; it is ignored if the account already exists.

How create vs. sign-in is decided

4. Social login and 2FA

If the account has OTP enabled on login (security and 2FA), social login respects that second step: instead of the session, POST /v1/auth/oauth returns otp_required: true + pending_token, and you complete it with POST /v1/auth/login/otp just like password login. A signed-in user can manage their sign-in methods:
You cannot unlink your only sign-in method: if the account has no password and that provider is the only one linked, the API responds 409 last_login_method (set a password or link another provider first).

Errors

FAQ

No. The consent flow happens in your front end with the provider SDK; you only send the resulting credential to CBPay. There are no callback pages or server-side state.
Yes. They can register with email/password and later link Google, or the other way around. All methods point to the same account as long as the email matches and is verified.
No automatic linking by email (prevents someone from claiming another person’s email). A standalone account tied to that identity is created; the user can add email/password later.
No. The provider credential is used once to verify you; every following call uses the CBPay access_token.
Last modified on July 9, 2026