🔐

Authentication Setup

Configure Google OAuth, 2FA, reCAPTCHA, and security features

Need Help?

For additional support, visit our Support Center

Google OAuth Configuration

1. Google Cloud Console Setup

Step-by-Step Guide:
  1. Go to Google Cloud Console
  2. Create a new project or select existing one
  3. Navigate to "APIs & Services" → "Credentials"
  4. Click "Create Credentials" → "OAuth 2.0 Client IDs"
  5. Configure OAuth consent screen if prompted
  6. Select "Web application" as application type
  7. Add authorized redirect URIs

Authorized Redirect URIs

http://localhost:3000/api/auth/callback/google https://yourdomain.com/api/auth/callback/google

Add both development and production URLs.

2. Environment Configuration

Google OAuth Credentials

GOOGLE_CLIENT_ID="your-google-client-id.apps.googleusercontent.com" GOOGLE_CLIENT_SECRET="your-google-client-secret"

Copy these values from your Google Cloud Console credentials.

Security Warning: Keep your client secret secure and never commit it to version control!

Two-Factor Authentication (2FA)

TOTP (Time-based One-Time Password)

2FA Configuration

NEXT_PUBLIC_2FA_STATUS="true"

Enable/disable 2FA feature for users.

Supported Apps

  • • Google Authenticator
  • • Microsoft Authenticator
  • • Authy
  • • 1Password
  • • LastPass Authenticator
Security Best Practice: Encourage all users to enable 2FA for enhanced account security.

reCAPTCHA v2 Setup

1. Register Your Site

Registration Steps:
  1. Visit Google reCAPTCHA Admin Console
  2. Enter a label for your site
  3. Select "reCAPTCHA v2" → "I'm not a robot" Checkbox
  4. Add your domains (localhost for development)
  5. Accept terms and submit

Domain Configuration

localhost # For development yourdomain.com # Your production domain

2. Environment Configuration

reCAPTCHA Keys

NEXT_PUBLIC_RECAPTCHA_SITE_KEY="your-site-key" RECAPTCHA_SECRET_KEY="your-secret-key"

Site key is public, secret key must be kept secure.

Feature Toggle

NEXT_PUBLIC_RECAPTCHA_STATUS="true"

Enable/disable reCAPTCHA across the platform.

3. Integration Points

Forms Protected

  • • User Registration
  • • Login Form
  • • Password Reset
  • • Contact Forms
  • • Withdrawal Requests

Verification Process

  • • Client-side validation
  • • Server-side verification
  • • Score-based filtering
  • • Bot detection
  • • Rate limiting integration

Security Configuration

JWT Token Settings

JWT Secret

JWT_SECRET="your-super-secret-jwt-key-here"

Use a strong, random string. Consider using: openssl rand -base64 32

Token Expiration

JWT_EXPIRES_IN="24h" JWT_REFRESH_EXPIRES_IN="7d"

Access token expires in 24h, refresh token in 7 days.

Rate Limiting

General Rate Limits

RATE_LIMIT_MAX="100" RATE_LIMIT_WINDOW="900000"

100 requests per 15 minutes (900,000ms).

Authentication Limits

  • • Login: 5 attempts/15min
  • • Registration: 3 attempts/hour
  • • Password reset: 3 attempts/hour
  • • 2FA: 10 attempts/15min

Restart Development Server

Apply Authentication Changes

After configuring authentication settings, restart the development server:

Important

Authentication changes require a server restart to take effect.

1. Stop the current server

Press Ctrl + C in your terminal

2. Start the development server

pnpm dev

This will restart the server with your new authentication configuration.