OAuth

Local PKCE-based OAuth flow for plugins needing authorized API access (Gmail, Google Calendar, GitHub, Slack, etc.). Tokens never leave your machine.

Flow

  1. You run vesper oauth login <provider> --client-id <id>
  2. Gateway prints an authorization URL
  3. You open it in a browser, approve
  4. Provider redirects to http://127.0.0.1:53174/callback
  5. Gateway captures the code, exchanges for tokens
  6. Tokens save to ~/.openvesper/tokens/<provider>.json (mode 0600)

Built-in provider templates

ProviderDefault scopesPKCE
googleGmail modify, Calendarโœ“
githubrepo, userโ€”
slackchat:write, channels:readโ€”

Usage

# Register an OAuth app with the provider, get the client ID
vesper oauth login google \
  --client-id YOUR_CLIENT_ID \
  --client-secret YOUR_SECRET

# List authorized providers
vesper oauth list

# Revoke
vesper oauth logout google

API equivalent

curl -X POST http://127.0.0.1:18789/oauth/start \
  -d '{
    "provider": "google",
    "clientId": "...",
    "clientSecret": "...",
    "scopes": ["..."]
  }'

curl http://127.0.0.1:18789/oauth/tokens
curl -X DELETE http://127.0.0.1:18789/oauth/tokens/google

Privacy

The entire flow runs on your machine. The provider's auth server sees a redirect to 127.0.0.1 only โ€” not to OpenVesper (we have no servers). Tokens are written to disk locally with file mode 0600.

Source

Implementation: apps/gateway/src/oauth.ts