> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring OAuth for your project

> Get started by configuring your OAuth settings in the Stytch Dashboard.

export const discovery = "Centralized login flow that allows users to view all Organizations they have access to, including pending invites and Organizations they are allowed to automatically join based on their verified email domain.";

export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";

export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";

To use Stytch's OAuth product, you'll first need to complete the following configuration steps in the [Stytch Dashboard](https://stytch.com/dashboard/):

<Steps>
  <Step title="Note your Stytch project's subdomain">
    Note the Project Domain from the Project Overview page. You will need this later when setting up your OAuth provider and adjusting your DNS entries.

    <img src="https://mintcdn.com/stytch-34ca0595/9oHTRL6TP7mU0lre/images/multi-tenant-auth/authentication/oauth/project-domain.png?fit=max&auto=format&n=9oHTRL6TP7mU0lre&q=85&s=b9dd4cc0b2c8baac6658322cbeaa43cd" alt="Stytch project domain" width="3000" height="1500" data-path="images/multi-tenant-auth/authentication/oauth/project-domain.png" />
  </Step>

  <Step title="Create an OAuth client">
    Navigate to the [OAuth section](https://stytch.com/dashboard/oauth), select the OAuth identity provider of your choice and click **Configure**.

    <img src="https://mintcdn.com/stytch-34ca0595/9oHTRL6TP7mU0lre/images/multi-tenant-auth/authentication/oauth/oauth-providers.png?fit=max&auto=format&n=9oHTRL6TP7mU0lre&q=85&s=e24b9cfaa7b7f0bc2843c0de1e0de1fa" alt="Stytch OAuth providers" width="3000" height="1500" data-path="images/multi-tenant-auth/authentication/oauth/oauth-providers.png" />

    Once in the provider configuration, we recommend clicking the **Setting up OAuth with \[provider]** button to streamline the configuration of your OAuth client.

    <img src="https://mintcdn.com/stytch-34ca0595/ImrCo7c3M8ByeeMn/images/multi-tenant-auth/authentication/oauth/github-oauth-configure.png?fit=max&auto=format&n=ImrCo7c3M8ByeeMn&q=85&s=35bb047d82582c980d7ae2f67ef49c74" alt="Stytch GitHub OAuth configuration" width="3000" height="1500" data-path="images/multi-tenant-auth/authentication/oauth/github-oauth-configure.png" />

    <Note>
      Be sure to add the **Stytch redirect URI** (`https://{test|live}.stytch.com/v1/b2b/oauth/callback/...`) as an authorized redirect URI in your OAuth provider's settings. This is where end users will be initially redirected after they authenticate with the provider.
    </Note>
  </Step>

  <Step title="Configure redirect URLs in the Stytch Dashboard">
    On the [Redirect URLs page](https://stytch.com/dashboard/redirect-urls), you'll need to configure the URL where the user will be redirected after a successful OAuth authentication.

    By default, all new projects have redirect URLs set to `http://localhost:3000/authenticate` for Test environments.

    If you want to use a different port, update the Dashboard to specify new default Redirect URLs for:

    * **Sign-up and Login Redirect URL** (for organization-specific login)
    * **Discovery Redirect URL** (for discovery authentication)
  </Step>

  <Step title="(Optional) Create an Organization for Organization-specific authentication">
    You can get started with the <Tooltip tip={discovery}>Discovery</Tooltip> sign-up or login flow without this step, so feel free to skip to Step 5!

    If you want to start with an example of logging into an existing <Tooltip tip={organization}>Organization</Tooltip>, you can do so by creating an Organization through the [Stytch Dashboard](https://stytch.com/dashboard) or [Create Organization API](/api-reference/b2b/api/organizations/create-organization).

    ###### JIT Provisioning by Email Domain

    If you are using **Google** or **Microsoft** as OAuth providers, and will be testing using a corporate email, you can allow Just-In-Time (JIT) Provisioning to the Organization via email domain by including your domain in the `email_allowed_domains` array and setting `email_jit_provisioning` to `RESTRICTED`.

    ```json theme={null}
    {
      "organization_id": "${organizationId}",
      "email_allowed_domains": [
        "stytch.com"
      ],
      "email_jit_provisioning": "RESTRICTED"
    }
    ```

    <img src="https://mintcdn.com/stytch-34ca0595/ImrCo7c3M8ByeeMn/images/multi-tenant-auth/authentication/oauth/jit-email-dashboard.png?fit=max&auto=format&n=ImrCo7c3M8ByeeMn&q=85&s=d2cc907a3554d980aacd75febf12baad" alt="Dashboard page for configuring JIT Provisioning by email domain" width="3000" height="1812" data-path="images/multi-tenant-auth/authentication/oauth/jit-email-dashboard.png" />

    <Note>
      Just-in-Time (JIT) Provisioning by email domain is restricted for common, free email providers (e.g. gmail.com). If you don't have a corporate email, you can alternatively create a <Tooltip tip={member}>Member</Tooltip> in your new Organization with the email you will use to log in.
    </Note>

    You can create a Member in the Dashboard by navigating to the Organization and clicking "Create new member" or by calling the [Create Member API](/api-reference/b2b/api/members/create-member).

    ###### JIT Provisioning by Tenant ID

    If you are using **Slack**, **HubSpot**, or **GitHub** as OAuth providers, you can allow JIT Provisioning to the Organization by tenant ID. See our [JIT Provisioning guide](/multi-tenant-auth/enterprise-ready/org-management/jit-provision-members#by-oauth-tenant) for additional information.

    <Info>
      Learn more about [step-up flows for Slack/HubSpot/GitHub OAuth](/multi-tenant-auth/authentication/oauth/overview#understanding-step-up-requirements).
    </Info>
  </Step>

  <Step title="Choose your integration approach">
    Follow one of the guides below to get an end-to-end OAuth flow up and running:

    <Tip>
      If you want to get up and running with as little code as possible, choose the **pre-built UI** option. If you want fine-grained control over your authentication flow, choose the **custom auth flow** option.
    </Tip>

    <CardGroup cols={2}>
      <Card title="Pre-built UI" icon="paintbrush" href="/multi-tenant-auth/authentication/oauth/adding-oauth-to-stytch-login">
        Integrate with Stytch's frontend UI components
      </Card>

      <Card title="Custom auth flow" icon="code" href="/multi-tenant-auth/authentication/oauth/adding-to-custom-auth-flow">
        Build a custom OAuth flow with full control
      </Card>
    </CardGroup>
  </Step>
</Steps>