Authentication
Skillist supports passwordless authentication — no passwords stored.
Sign-in methods
Section titled “Sign-in methods”| Method | Where |
|---|---|
| GitHub OAuth | skillist.dev/login |
| Google OAuth | skillist.dev/login |
| Passkey | Login page or Account |
| Magic link | Email link via API |
| Email OTP | One-time code via email |
| Enterprise SSO | Login page (when configured) |
Account
Section titled “Account”Signed-in users manage personal auth at skillist.dev/account:
- Display name
- Linked GitHub / Google providers
- Passkey registration and removal
- Active session revoke
Org API keys and OAuth app redirect docs stay under Settings.
API auth
Section titled “API auth”Session cookies are used by the web app. Production sessions use cross-subdomain cookies on .skillist.dev so skillist.dev and api.skillist.dev share the same session. The CLI and API keys use Bearer tokens after skillist login.
Protected API routes live under /v1/* and require a valid session or org API key.
MCP OAuth
Section titled “MCP OAuth”MCP clients use a separate OAuth flow — see OAuth authentication. Sign-in still happens at skillist.dev/login.
Sandbox policy
Section titled “Sandbox policy”Hosted sandbox runs require authentication. Anonymous users can browse public skill scripts but cannot execute them.
Enterprise SSO (OIDC)
Section titled “Enterprise SSO (OIDC)”Configure Better Auth generic OAuth on the API worker with:
SSO_CLIENT_ID/SSO_CLIENT_SECRETSSO_DISCOVERY_URLorSSO_AUTHORIZATION_URL+SSO_TOKEN_URL(+ optionalSSO_USERINFO_URL)- Optional
SSO_PROVIDER_ID(defaultsso) andSSO_SCOPES
The web login page exposes Enterprise SSO, which calls /api/auth/sign-in/oauth2.
Local OAuth redirects
Section titled “Local OAuth redirects”| Provider | Redirect URI |
|---|---|
| GitHub | http://localhost:8787/api/auth/callback/github |
http://localhost:8787/api/auth/callback/google |
Production uses https://api.skillist.dev/api/auth/callback/{provider}.
See apps/api/.dev.vars.example for local client IDs.