
High-level OAuth 2.0 powered by Deno KV.

MIT License


Deno KV OAuth (Beta)

High-level OAuth 2.0 powered by Deno KV.



Check out the full documentation and API reference here.


Get Started with a Pre-Defined OAuth Configuration

See here for the list of OAuth providers with pre-defined configurations.

  1. Create your OAuth application for your given provider.

  2. Create your web server using Deno KV OAuth's request handlers, helpers and pre-defined OAuth configuration.

    // server.ts
    import { createGitHubOAuthConfig, createHelpers } from "jsr:@deno/kv-oauth";
    const oauthConfig = createGitHubOAuthConfig();
    const {
    } = createHelpers(oauthConfig);
    async function handler(request: Request) {
      const { pathname } = new URL(request.url);
      switch (pathname) {
        case "/oauth/signin":
          return await signIn(request);
        case "/oauth/callback":
          const { response } = await handleCallback(request);
          return response;
        case "/oauth/signout":
          return await signOut(request);
        case "/protected-route":
          return await getSessionId(request) === undefined
            ? new Response("Unauthorized", { status: 401 })
            : new Response("You are allowed");
          return new Response(null, { status: 404 });
  3. Start your server with the necessary environment variables.

    GITHUB_CLIENT_ID=xxx GITHUB_CLIENT_SECRET=xxx deno run --unstable-kv --allow-env --allow-net server.ts

Check out a full implementation in the demo source code which runs

Get Started with a Custom OAuth Configuration

  1. Create your OAuth application for your given provider.

  2. Create your web server using Deno KV OAuth's request handlers and helpers, and custom OAuth configuration.

    // server.ts
    import {
      type OAuth2ClientConfig,
    } from "jsr:@deno/kv-oauth";
    const oauthConfig: OAuth2ClientConfig = {
      clientId: getRequiredEnv("CUSTOM_CLIENT_ID"),
      clientSecret: getRequiredEnv("CUSTOM_CLIENT_SECRET"),
      authorizationEndpointUri: "",
      tokenUri: "",
      redirectUri: "",
    const {
    } = createHelpers(oauthConfig);
    async function handler(request: Request) {
      const { pathname } = new URL(request.url);
      switch (pathname) {
        case "/oauth/signin":
          return await signIn(request);
        case "/another-dir/callback":
          const { response } = await handleCallback(request);
          return response;
        case "/oauth/signout":
          return await signOut(request);
        case "/protected-route":
          return await getSessionId(request) === undefined
            ? new Response("Unauthorized", { status: 401 })
            : new Response("You are allowed");
          return new Response(null, { status: 404 });
  3. Start your server with the necessary environment variables.

    CUSTOM_CLIENT_ID=xxx CUSTOM_CLIENT_SECRET=xxx deno run --unstable-kv --allow-env --allow-net server.ts

Get Started with Cookie Options

This is required for OAuth solutions that span more than one sub-domain.

  1. Create your OAuth application for your given provider.

  2. Create your web server using Deno KV OAuth's helpers factory function with cookie options defined.

    // server.ts
    import { createGitHubOAuthConfig, createHelpers } from "jsr:@deno/kv-oauth";
    const {
    } = createHelpers(createGitHubOAuthConfig(), {
      cookieOptions: {
        name: "__Secure-triple-choc",
        domain: "",
    async function handler(request: Request) {
      const { pathname } = new URL(request.url);
      switch (pathname) {
        case "/oauth/signin":
          return await signIn(request);
        case "/oauth/callback":
          const { response } = await handleCallback(request);
          return response;
        case "/oauth/signout":
          return await signOut(request);
        case "/protected-route":
          return await getSessionId(request) === undefined
            ? new Response("Unauthorized", { status: 401 })
            : new Response("You are allowed");
          return new Response(null, { status: 404 });
  3. Start your server with the necessary environment variables.

    GITHUB_CLIENT_ID=xxx GITHUB_CLIENT_SECRET=xxx deno run --unstable-kv --allow-env --allow-net server.ts

Get Started with Fresh

  1. Create your OAuth application for your given provider.

  2. Create your OAuth configuration and Fresh plugin.

    // plugins/kv_oauth.ts
    import { createGitHubOAuthConfig, createHelpers } from "jsr:@deno/kv-oauth";
    import type { Plugin } from "$fresh/server.ts";
    const { signIn, handleCallback, signOut, getSessionId } = createHelpers(
    export default {
      name: "kv-oauth",
      routes: [
          path: "/signin",
          async handler(req) {
            return await signIn(req);
          path: "/callback",
          async handler(req) {
            // Return object also includes `accessToken` and `sessionId` properties.
            const { response } = await handleCallback(req);
            return response;
          path: "/signout",
          async handler(req) {
            return await signOut(req);
          path: "/protected",
          async handler(req) {
            return await getSessionId(req) === undefined
              ? new Response("Unauthorized", { status: 401 })
              : new Response("You are allowed");
    } as Plugin;
  3. Add the plugin to your Fresh app.

  4. Start your Fresh server with the necessary environment variables.

    GITHUB_CLIENT_ID=xxx GITHUB_CLIENT_SECRET=xxx deno task start

Run the Demo Locally

The demo uses GitHub as the OAuth provider. You can change the OAuth configuration by setting the oauthConfig constant as mentioned above.

  1. Create your OAuth application for your given provider.

  2. Start the demo with the necessary environment variables.



Redirects after Sign-In and Sign-Out

The URL that the client is redirected to upon successful sign-in or sign-out is determined by the request made to the sign-in or sign-out endpoint. This value is set in the following order of precedence:

  1. The value of the success_url URL parameter of the request URL, if defined.
    E.g. a request to redirects
    the client to /success after successful sign-in.
  2. The value of the
    header, if of the same origin as the request. E.g. a request to with Referer header
    redirects the client to after successful sign-in.
  3. The root path, "/". E.g. a request to without the
    Referer header redirects the client to after
    successful sign-in.

Pre-Defined OAuth Configurations


The following providers have pre-defined OAuth configurations:

  1. Auth0
  2. AWS Cognito User Pool
  3. AzureAD
  4. AzureADB2C
  5. Clerk
  6. Discord
  7. Dropbox
  8. Facebook
  9. GitHub
  10. GitLab
  11. Google
  12. Logto
  13. Notion
  14. Okta
  15. Patreon
  16. Slack
  17. Spotify
  18. Twitter

Environment Variables

These must be set when starting a server with a pre-defined OAuth configuration. Replace the PROVIDER prefix with your given OAuth provider's name when starting your server. E.g. DISCORD, GOOGLE, or SLACK.

    Client ID
    of a given OAuth application.
    Client secret
    of a given OAuth application.
  3. PROVIDER_DOMAIN (optional) - Server domain of a given OAuth application.
    Required for Auth0, AzureADB2C, AWS Cognito, and Okta.

Note: reading environment variables requires the --allow-env[=<VARIABLE_NAME>...] permission flag. See the manual for further details.

Built with Deno KV OAuth

  1. Deno KV OAuth live demo
  2. Deno SaaSKit - A modern SaaS template built on
    Fresh and uses a custom Deno KV OAuth plugin.
  3. KV SketchBook - Dead simple
    sketchbook app.
  4. Fresh + Deno KV OAuth demo -
    A demo of Deno KV OAuth working in the
    Fresh web framework.
  5. Oak + Deno KV OAuth demo -
    A demo of Deno KV OAuth working in the
    Oak web framework.
  6. Ultra + Deno KV OAuth demo -
    A demo of Deno KV OAuth working in the
    Ultra web framework.
  7. Hono + Deno KV OAuth demo -
    A demo of Deno KV OAuth working in the
    Hono web framework.
  8. Cheetah + Deno KV OAuth demo -
    A demo of Deno KV OAuth working in the
    Cheetah web framework.
  9. Paquet - A web app shop
  10. Fastro + Deno KV OAuth live demo - A simple,
    reusable fastro module that implements Deno KV.

Do you have a project powered by Deno KV OAuth that you'd like to share? Feel free to let us know in a new issue.

Known Issues

  • Twitch is not supported as an OAuth provider because it does not support PKCE.
    See #79 and
    this post
    for more information.

Contributing Guide

Check out the contributing guide here.

Security Policy

Check out the security policy here.