OAuth & SSO
Secure your Hybrix dashboard and API with OAuth 2.0 authentication. Supports Google, GitHub, and custom OIDC providers for single sign-on.
Enabling authentication
By default, the Hybrix dashboard has no authentication -- it binds to localhost and is only accessible from your machine. To expose it on a network or add multi-user support, enable OAuth:
json
{
"auth": {
"enabled": true,
"providers": ["google", "github"],
"allowedEmails": ["*@yourcompany.com"],
"sessionSecret": "$HYBRIX_SECRET",
"sessionMaxAge": "7d"
}
}Provider configuration
| Provider | Env Variables | Callback URL |
|---|---|---|
| GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET | /api/auth/callback/google | |
| GitHub | GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET | /api/auth/callback/github |
| Custom OIDC | OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET | /api/auth/callback/oidc |
Access control
The allowedEmails field accepts exact emails or domain wildcards. Use this to restrict who can access the dashboard.
For API access, authenticated users receive a session token. Agents accessed via channels (Discord, Slack) bypass dashboard auth since they use their own platform tokens.
If you expose the gateway to the internet without enabling auth, anyone can access your agents and their skills, including shell execution. Always enable authentication for public deployments.