OAuth providers must be configured in the Sublay dashboard before use. Each
provider requires a client ID, client secret, and a list of allowed redirect
URIs.
Web Integration
TheuseOAuthSignIn hook (from @sublay/react-js) handles the full web OAuth flow.
Initiating Sign-In
CallinitiateOAuth with the provider name and the URL your app will redirect back to after authentication.
"google", "github", "apple", "facebook".
Handling the Callback
On the page your app redirects back to, callhandleOAuthCallback once on mount. It reads the tokens from the URL fragment, stores them in the SDK, and cleans the URL.
handleOAuthCallback returns true if tokens were found in the URL fragment and false otherwise. If the provider returned an error (for example, the user denied access), the error is surfaced through the error field.
Linking an Additional Provider
Authenticated users can link additional OAuth providers to their account usinglinkOAuthProvider. This requires the user to already be signed in.
handleOAuthCallback handles both cases.
Expo Integration
@sublay/expo ships its own useOAuthSignIn hook with the same API as the web hook (initiateOAuth, linkOAuthProvider, handleOAuthCallback, isLoading, error). Instead of a full-page redirect, it opens the Sublay-brokered consent screen in the system browser and returns to your app through a custom-scheme deep link.
Deep links don’t work reliably in Expo Go. You need a custom dev client (
npx expo run:ios / npx expo run:android) or an EAS Build.Setup
1
Install the peer dependencies
The Expo hook relies on
expo-web-browser (to open the auth session) and expo-linking (to parse the return URL).2
Register a URL scheme
Add a custom
scheme to your app.json (or app.config.js). This is the scheme your redirectAfterAuth deep link uses.app.json
3
Allow the redirect URI in the dashboard
In your Sublay project’s OAuth provider settings, add the exact deep link you’ll pass as
redirectAfterAuth (e.g. myapp://auth/callback) to the provider’s Allowed Redirect URIs.Initiating Sign-In
redirectAfterAuth is required on mobile — there is no window.location to fall back to. Pass the deep link you registered above.
handleOAuthCallback exists for API parity but is a no-op that always returns false, so you never need to call it on mobile.
If the user cancels or dismisses the browser, the flow resolves quietly: isLoading resets to false and error stays null. error is only set on a server failure, a provider error in the redirect, or when no tokens are returned.
Linking an Additional Provider
linkOAuthProvider works exactly like the web flow and requires the user to already be signed in.
Persistence
Tokens dispatched by the hook are picked up by theSublayProvider’s account manager and written to SecureStore, so the session survives app relaunches automatically. You don’t need to add any storage code.
Web vs. Expo at a glance
How Tokens Are Returned
After the provider callback, Sublay redirects to yourredirectAfterAuth URL with tokens in the URL fragment (not query parameters):
handleOAuthCallback extracts them automatically.
Managing Linked Identities
UseuseOAuthIdentities to list and unlink OAuth identities on the current user’s account.

