Social Login

Social login lets your users authenticate with an existing account from a third-party provider such as Google or Microsoft. Once configured, social login options appear automatically on Seal’s hosted login page alongside your other enabled authentication methods. No code changes are required in your application — social logins work through the same OAuth 2.0 flow described in the Quick Start guide.

Supported providers

Seal supports the following OAuth providers:

Provider	Description
Google	Sign in with Google accounts using OAuth 2.0. Pre-configured in demo mode for all environments.
Microsoft	Sign in with Microsoft (Entra) accounts using OAuth 2.0.

Note

Google is available in demo mode by default, using Seal’s hosted credentials. This allows you to test social login immediately without creating your own Google OAuth app. For production use, switch to custom credentials.

Configure a social login provider

1. In the Seal portal, navigate to Authentication → Social Login.

2. Find the provider you want to configure. Each provider displays its current status (enabled or disabled) and credential mode (Demo or Custom).

3. Click Configure to open the provider settings.

4. Select a credential mode:

   • Demo: Uses Seal’s hosted OAuth credentials. Suitable for development and testing.
   • Custom: Uses your own OAuth app credentials. Required for production.

   For custom credentials, enter the Client ID and Client Secret from the provider’s developer console.

5. Copy the Redirect URI displayed in the configuration dialog. Add this URI to the list of authorized redirect URIs in the provider’s developer console (for example, the Google Cloud Console or Microsoft Entra admin center).

6. Close the dialog and toggle the provider on to enable it.

Changes take effect immediately for new login flows.

Credential modes

Each provider supports two credential modes:

• Demo: Seal provides pre-configured OAuth credentials. Use this for local development and testing. Demo mode is available for Google out of the box.
• Custom: You provide your own OAuth app credentials (Client ID and Client Secret). Use this for production deployments where you need full control over the OAuth app configuration, consent screen branding, and allowed domains.

Caution

Demo credentials are shared and intended for development only. Switch to custom credentials before deploying to production to ensure your users see your own branding on the provider’s consent screen.

How social login works

When a user selects a social login provider on the hosted login page, the following flow occurs:

1. Seal redirects the user to the provider’s authorization endpoint
2. The user authenticates with the provider and grants consent
3. The provider redirects back to Seal with an authorization code
4. Seal exchanges the code for an ID token and extracts the user’s profile (email, name, and profile picture where available)
5. If the user does not yet exist in Seal and sign-up is enabled, a new user account is created automatically
6. Seal completes the OAuth 2.0 flow with your application, returning the authorization code as in the standard flow

Your application handles the callback identically regardless of which authentication method the user chose. The token exchange response includes the same user and organization objects described in the Quick Start guide.

Next steps

• Magic Link authentication — enable passwordless sign-in with email verification codes
• Quick Start guide — integrate Seal’s OAuth 2.0 flow into your application
• Explore the API reference — manage users, organizations, and sessions programmatically