Skip to content
Open app

Authentication

Skillist supports passwordless authentication — no passwords stored.

Method Where
GitHub OAuth skillist.dev/login
Google OAuth skillist.dev/login
Passkey Login page or Account
Magic link Email link via API
Email OTP One-time code via email
Enterprise SSO Login page (when configured)

Signed-in users manage personal auth at skillist.dev/account:

  • Display name
  • Linked GitHub / Google providers
  • Passkey registration and removal
  • Active session revoke

Org API keys and OAuth app redirect docs stay under Settings.

Session cookies are used by the web app. Production sessions use cross-subdomain cookies on .skillist.dev so skillist.dev and api.skillist.dev share the same session. The CLI and API keys use Bearer tokens after skillist login.

Protected API routes live under /v1/* and require a valid session or org API key.

MCP clients use a separate OAuth flow — see OAuth authentication. Sign-in still happens at skillist.dev/login.

Hosted sandbox runs require authentication. Anonymous users can browse public skill scripts but cannot execute them.

Configure Better Auth generic OAuth on the API worker with:

  • SSO_CLIENT_ID / SSO_CLIENT_SECRET
  • SSO_DISCOVERY_URL or SSO_AUTHORIZATION_URL + SSO_TOKEN_URL (+ optional SSO_USERINFO_URL)
  • Optional SSO_PROVIDER_ID (default sso) and SSO_SCOPES

The web login page exposes Enterprise SSO, which calls /api/auth/sign-in/oauth2.

Provider Redirect URI
GitHub http://localhost:8787/api/auth/callback/github
Google http://localhost:8787/api/auth/callback/google

Production uses https://api.skillist.dev/api/auth/callback/{provider}.

See apps/api/.dev.vars.example for local client IDs.