OAuth
Local PKCE-based OAuth flow for plugins needing authorized API access (Gmail, Google Calendar, GitHub, Slack, etc.). Tokens never leave your machine.
Flow
- You run
vesper oauth login <provider> --client-id <id> - Gateway prints an authorization URL
- You open it in a browser, approve
- Provider redirects to
http://127.0.0.1:53174/callback - Gateway captures the code, exchanges for tokens
- Tokens save to
~/.openvesper/tokens/<provider>.json(mode 0600)
Built-in provider templates
| Provider | Default scopes | PKCE |
|---|---|---|
google | Gmail modify, Calendar | โ |
github | repo, user | โ |
slack | chat:write, channels:read | โ |
Usage
# Register an OAuth app with the provider, get the client ID
vesper oauth login google \
--client-id YOUR_CLIENT_ID \
--client-secret YOUR_SECRET
# List authorized providers
vesper oauth list
# Revoke
vesper oauth logout googleAPI equivalent
curl -X POST http://127.0.0.1:18789/oauth/start \
-d '{
"provider": "google",
"clientId": "...",
"clientSecret": "...",
"scopes": ["..."]
}'
curl http://127.0.0.1:18789/oauth/tokens
curl -X DELETE http://127.0.0.1:18789/oauth/tokens/googlePrivacy
The entire flow runs on your machine. The provider's auth server sees a redirect to 127.0.0.1 only โ not to OpenVesper (we have no servers). Tokens are written to disk locally with file mode 0600.
Source
Implementation: apps/gateway/src/oauth.ts