All Docs

Authentication

Configure authentication providers and manage user sessions.

Overview

ShipKit uses NextAuth.js v4 for authentication with support for multiple providers, session management, and role-based access control.

Supported Providers

Google OAuth (Pre-configured)

  1. Go to the Google Cloud Console
  2. Create OAuth 2.0 credentials
  3. Add your redirect URI: https://your-domain.com/api/auth/callback/google
  4. Set environment variables:
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret

Email Magic Link (Pre-configured)

Magic link authentication works out of the box with any configured email provider (Resend, Mailgun, or SMTP).

EMAIL_FROM=noreply@your-domain.com

Additional Providers (Ready to Enable)

The following providers are pre-configured and can be enabled by adding credentials:

  • Apple OAuth
  • Twitter OAuth
  • Facebook OAuth

Session Management

Sessions are stored in the database for persistence. Each session includes:

  • User ID and email
  • Active organization ID
  • Role and permissions
  • Expiration timestamp

Role-Based Access Control

ShipKit implements RBAC at the organization level:

  • Owner: Full access to everything
  • Admin: Manage members, billing, and settings
  • Member: Access to organization resources
  • Custom Roles: Create roles with granular permissions

API Key Authentication

For external integrations, users can generate API keys:

  • Keys are hashed before storage (never stored in plain text)
  • Scoped to a specific organization
  • Can be revoked at any time
  • Include rate limiting per key

Protected Routes

Use the middleware to protect routes:

  • Marketing pages: Public access
  • Dashboard pages: Require authentication
  • Admin pages: Require admin role
  • API routes: Require valid session or API key