zomg auth settings.
Zomg can’t create the Google Auth Platform Web application OAuth client for you through a supported Google API. Google exposes programmatic OAuth-client APIs for IAP and workforce flows, but those clients aren’t the normal
accounts.google.com Web application client that Zomg uses.What Zomg deploys
During deployment, Zomg creates:- An auth host at
https://auth.<zomg_domain>. /auth/signin,/auth/cli/signin,/auth/callback,/auth/logout, and/auth/verifyroutes onzomg-api.- Traefik forward-auth middleware named
zomg-auth. - A persistent auth settings file at
/var/lib/boxes/data/auth/settings.json.
AUTH_JWT_SECRETsigns browser session tokens and CLI auth tokens.ZOMG_AUTH_GOOGLE_CLIENT_IDis the Google OAuth client ID.ZOMG_AUTH_GOOGLE_CLIENT_SECRETis the Google OAuth client secret.
auth_jwt_secret for you. You provide the Google OAuth client ID and secret.
Create the Google OAuth client
Create a Google OAuth Web application client in the same Google Cloud project you use for the deployment. Open the Auth Platform clients page for your deployment project:zomg-prod-123456, use:
- Click Create client or Create OAuth client.
- Choose Web application as the application type.
- Name it for the Zomg deployment, for example
Zomg prod. - Add the authorized redirect URI shown below.
- Create the client.
- Copy or download the client ID and client secret.
zomg.example.com, the redirect URI is:
google_workspace_domain seeds the default allowed Google Workspace domain. You can add or replace allowed domains and emails later.
If you use Codex or another browser-capable agent, you can ask it to open the Auth Platform clients page, create the Web application client, confirm the redirect URI, and store the downloaded credentials in the Zomg setup profile.
Deploy auth configuration
Run deploy after adding or changing the Google OAuth credentials:zomg-api as:
Sign in from the CLI
After deploy, sign in with Google:auth_token in the local profile config.
Print the stored token for agents and scripts:
Enable route protection
Routes are public until you enable protection. This lets you deploy and test before enforcing browser sign-in. Protect unpublished box URLs and system domains:--protect-unpublished applies to box hosts under the Zomg domain. --protect-system applies to system domains like API and dashboard routes.
Published app URLs stay public by default. Require auth for a specific box:
Control who can sign in
By default, Zomg allows users fromgoogle_workspace_domain when it is set. You can replace the allowed domain list or add explicit emails:
Troubleshooting
Ifzomg auth settings prints configured=false, redeploy after setting all required values:
zomg auth signin again and confirm the selected profile points at the deployed API: