Most apps only need these provider endpoints plus the client credentials generated for each app below.
Client ID and Client secret are generated when you create an app below. Most services only need the provider URLs and your app callback URL.
Start with the basics. Advanced settings stay tucked away unless you need them.
This is where prod-auth will send the authorization code after sign-in.
Public apps can be used by anyone who passes tag requirements. Private apps are limited to you plus selected users.
Optional. Passgate will clear its own session, then hand the browser to this URL. Leave it blank to return users to the app redirect URL after sign-out.
For Portainer, use `username` here and also set Portainer's own User Identifier field to `username`.
Available scopes: `id`, `email`, `name`, `username`, `tags`.
Portainer tip: enable Automatic user provisioning, set User identifier to `username`, and include `username,email,name` in scopes.
No. Use a server-side confidential client and exchange the authorization code on your backend.
Not currently. Exchange the code, fetch user info, and create your own local app session right away.
Use `username` by default. It is human-readable and works well with integrations like Portainer. Use `id` only if your app specifically needs an immutable opaque identifier.
Usually the Passgate `sub`, `username`, optional `email`, optional display name, and any app-specific role or tenant mapping you need.
Use the per-app Logout URL that Passgate gives you. It clears the Passgate session first, then sends the browser to your app's configured post-logout destination.