Stack Auth

Stack Auth - Production

Steps to prepare Stack for production use.

Stack makes development easy with various default settings, but these settings need to be optimized for security and user experience when moving to production. Here’s a checklist of things you need to do before switching to production mode.

Domains

By default, Stack allows all localhost paths as valid callback URLs. This is convenient for development but poses a security risk in production because attackers could use their own domains as callback URLs to intercept sensitive information. In production, Stack must know your domain (for example, https://your-website.com) and only allow callbacks from those domains.

Follow these steps when you’re ready to push your application to production:

Add Your Domain

Navigate to the Domain & Handlers tab in the Stack dashboard. If you haven’t configured your handler, you can leave it as the default. Learn more about handlers here.

Disable Localhost Callbacks

For enhanced security, disable the Allow all localhost callbacks for development option.

OAuth Providers

Stack uses shared OAuth keys for development to simplify setup when using “Sign in with Google/GitHub/etc.” However, this isn’t secure for production because providers show “Stack Development” on consent screens, which may confuse users. You should configure your own OAuth keys with each provider and connect them to Stack.

To use your own OAuth provider setup in production, follow these steps for each provider you use:

Create an OAuth App

On the provider’s website, create an OAuth app and set the callback URL to the corresponding Stack callback URL. Copy the client ID and client secret.

Google

Google OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/google

GitHub

GitHub OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/github

Facebook

Facebook OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/facebook

Microsoft

Microsoft Azure OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/microsoft

Spotify

Spotify OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/spotify

GitLab

GitLab OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/gitlab

Bitbucket

Bitbucket OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/bitbucket

LinkedIn OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/linkedin

X

X OAuth Setup Guide

Callback URL:


https://api.stack-auth.com/api/v1/auth/oauth/callback/x

Enter OAuth Credentials

Go to the Auth Methods section in the Stack dashboard, open the provider settings, switch from shared keys to custom keys, and enter the client ID and client secret.

Email Server

For development, Stack uses a shared email server that sends emails from Stack’s domain. This is not ideal for production, as users may not trust emails from an unfamiliar domain. You should set up an email server connected to your own domain.

Steps to connect your own email server with Stack:

Setup Email Server: Configure your own email server and connect it to your domain (this step is beyond Stack documentation scope).
Configure Stack Email Settings: Navigate to the Emails section in the Stack dashboard, click Edit in the Email Server section, switch from Shared to Custom SMTP server, enter your SMTP configuration, and save.

Enabling Production Mode

After completing the steps above, enable production mode in the Project Settings tab in the Stack dashboard to ensure your website runs securely with Stack in a production environment.