--- description: The new Capacitor OAuth plugin provides a secure way to integrate OAuth 2.0 and OpenID Connect authentication in your Capacitor apps. title: Announcing the Capacitor OAuth Plugin - Capawesome image: https://capawesome.io/docs/assets/images/social/blog/announcing-the-capacitor-oauth-plugin.png --- [ Skip to content](#announcing-the-oauth-plugin-for-capacitor) [ 🎉 Introducing **Capawesome Platform** — one platform for Live Updates, Native Builds, App Store Publishing, and Insider SDKs.](https://capawesome.io) * [ Formbricks ](/docs/plugins/formbricks/) * [ Geocoder ](/docs/plugins/geocoder/) * [ Google Sign-In ](/docs/plugins/google-sign-in/) * [ libSQL ](/docs/plugins/libsql/) * [ Live Update ](/docs/plugins/live-update/) * [ Managed Configurations ](/docs/plugins/managed-configurations/) * [ Media Session ](/docs/plugins/media-session/) * [ ML Kit ](/docs/plugins/mlkit/) * [ NFC ](/docs/plugins/nfc/) * [ OAuth ](/docs/plugins/oauth/) * [ Pedometer ](/docs/plugins/pedometer/) * [ Photo Editor ](/docs/plugins/photo-editor/) * [ PostHog ](/docs/plugins/posthog/) * [ Printer ](/docs/plugins/printer/) * [ Purchases ](/docs/plugins/purchases/) * [ RealtimeKit ](/docs/plugins/realtimekit/) * [ Screen Orientation ](/docs/plugins/screen-orientation/) * [ Screenshot ](/docs/plugins/screenshot/) * [ Secure Preferences ](/docs/plugins/secure-preferences/) * [ Speech Recognition ](/docs/plugins/speech-recognition/) * [ Speech Synthesis ](/docs/plugins/speech-synthesis/) * [ Share Target ](/docs/plugins/share-target/) * [ Square Mobile Payments ](/docs/plugins/square-mobile-payments/) * [ SQLite ](/docs/plugins/sqlite/) * [ Superwall ](/docs/plugins/superwall/) * [ Torch ](/docs/plugins/torch/) * [ Wifi ](/docs/plugins/wifi/) * [ Zip ](/docs/plugins/zip/) * [ Cloud ](/docs/cloud/) * [ Live Updates ](/docs/cloud/live-updates/) * Advanced * Integrations * [ Native Builds ](/docs/cloud/native-builds/) * [ Configuration ](/docs/cloud/native-builds/configuration/) * [ Environments ](/docs/cloud/native-builds/environments/) * Guides * [ Sample Projects ](/docs/cloud/native-builds/sample-projects/) * [ Troubleshooting ](/docs/cloud/native-builds/troubleshooting/) * [ Automations ](/docs/cloud/automations/) * [ Assist ](/docs/cloud/assist/) * Account * Organizations * [ Organization and User Management ](/docs/cloud/organizations/memberships/) * [ Single Sign-On (SSO) ](/docs/cloud/organizations/sso/) * [ Teams ](/docs/cloud/organizations/teams/) * [ Two-Factor Authentication ](/docs/cloud/organizations/two-factor-authentication/) * [ Integrations ](/docs/cloud/integrations/) * [ License Keys ](/docs/cloud/license-keys/) * [ Webhooks ](/docs/cloud/webhooks/) * [ Pricing ](https://capawesome.io/pricing/) * [ FAQ ](/docs/cloud/faq/) * [ Support ](/docs/cloud/support/) * [ Contributing ](/docs/contributing/) * [ LLMs ](/docs/llms/) * [ Insiders ](/docs/insiders/) * [ License ](https://capawesome.io/legal/eula/) * [ Support ](/docs/insiders/support/) * [ FAQ ](/docs/insiders/faq/) * [ Blog ](/blog/) * Categories * [ FAQ ](#faq) * [ Conclusion ](#conclusion) * Related links # Announcing the OAuth Plugin for Capacitor[¶](#announcing-the-oauth-plugin-for-capacitor "Permanent link") Authentication is a critical part of most applications, and getting it right can be challenging. With [Ionic's recent decision to discontinue new customer sales of its commercial products](https://ionic.io/blog/important-announcement-the-future-of-ionics-commercial-products), including Auth Connect, many teams building Capacitor apps are now looking for a reliable alternative. That's why we built the [OAuth](/docs/plugins/oauth/) plugin — a production-ready solution for integrating OAuth 2.0 and OpenID Connect authentication into your Capacitor applications across Android, iOS, and web. The plugin is now available for all Capawesome [Insiders](/docs/insiders/). [ ![Build and deploy your Capacitor app with Capawesome Cloud](../../assets/external/cloud.capawesome.io/assets/banners/cloud-build-and-deploy-capacitor-apps.69628c3f.png) ](/) ## Bonus: Video Tutorial and Demo App[¶](#bonus-video-tutorial-and-demo-app "Permanent link") This launch tutorial covers the OAuth plugin setup, native/web authentication flow, PKCE-based login, callback configuration, and token handling in a real Capacitor app. * **[OAuth Demo App](https://github.com/capawesome-team/capacitor-oauth-demo)** — A complete example project showing login, token refresh, user profile retrieval, and logout. Let's explore the [API](/docs/plugins/oauth/#api) and key features that make this plugin a great fit for your next project. ## Installation[¶](#installation "Permanent link") To install the Capacitor OAuth plugin, please refer to the [Installation](/docs/plugins/oauth/#installation) section in the plugin documentation. ## Usage[¶](#usage "Permanent link") The [OAuth](/docs/plugins/oauth/) plugin works with any OAuth 2.0 or OpenID Connect provider, including Auth0, Azure AD, Amazon Cognito, Okta, and OneLogin. It implements the Authorization Code flow with PKCE out of the box, following current security best practices. Let's walk through the most common use cases. ### Logging in[¶](#logging-in "Permanent link") Start the OAuth flow with the [login(...)](/docs/plugins/oauth/#login) method. You can either provide an `issuerUrl` for automatic OpenID Connect discovery, or pass the `authorizationEndpoint` and `tokenEndpoint` directly: `[](#%5F%5Fcodelineno-0-1)import { Oauth } from "@capawesome-team/capacitor-oauth"; [](#%5F%5Fcodelineno-0-2) [](#%5F%5Fcodelineno-0-3)const login = async () => { [](#%5F%5Fcodelineno-0-4) const result = await Oauth.login({ [](#%5F%5Fcodelineno-0-5) issuerUrl: "https://accounts.google.com", [](#%5F%5Fcodelineno-0-6) clientId: "YOUR_CLIENT_ID", [](#%5F%5Fcodelineno-0-7) redirectUrl: "com.example.app://oauth/callback", [](#%5F%5Fcodelineno-0-8) scopes: ["openid", "profile", "email", "offline_access"], [](#%5F%5Fcodelineno-0-9) }); [](#%5F%5Fcodelineno-0-10) [](#%5F%5Fcodelineno-0-11) console.log("Access token:", result.accessToken); [](#%5F%5Fcodelineno-0-12) console.log("ID token:", result.idToken); [](#%5F%5Fcodelineno-0-13) console.log("Refresh token:", result.refreshToken); [](#%5F%5Fcodelineno-0-14)}; ` The plugin handles the entire authorization code exchange with PKCE behind the scenes. On Android and iOS, it uses the system browser for a secure authentication experience. On the web, the user is redirected to the provider's authorization page. ### Handling the redirect callback[¶](#handling-the-redirect-callback "Permanent link") On the web platform, you need to handle the redirect callback after the user is redirected back from the provider. Call [handleRedirectCallback()](/docs/plugins/oauth/#handleredirectcallback) on page load to complete the token exchange: `[](#%5F%5Fcodelineno-1-1)import { Oauth } from "@capawesome-team/capacitor-oauth"; [](#%5F%5Fcodelineno-1-2)import { Capacitor } from "@capacitor/core"; [](#%5F%5Fcodelineno-1-3) [](#%5F%5Fcodelineno-1-4)const handleRedirectCallback = async () => { [](#%5F%5Fcodelineno-1-5) if (Capacitor.getPlatform() !== "web") { [](#%5F%5Fcodelineno-1-6) return; [](#%5F%5Fcodelineno-1-7) } [](#%5F%5Fcodelineno-1-8) const result = await Oauth.handleRedirectCallback(); [](#%5F%5Fcodelineno-1-9) console.log("Access token:", result.accessToken); [](#%5F%5Fcodelineno-1-10)}; ` This step is only required on the web. On Android and iOS, the redirect is handled natively. ### Storing tokens securely[¶](#storing-tokens-securely "Permanent link") The [OAuth](/docs/plugins/oauth/) plugin is designed to work seamlessly with the [Secure Preferences](/docs/plugins/secure-preferences/) plugin, so you can store tokens in encrypted storage right after login: `[](#%5F%5Fcodelineno-2-1)import { Oauth } from "@capawesome-team/capacitor-oauth"; [](#%5F%5Fcodelineno-2-2)import { SecurePreferences } from "@capawesome-team/capacitor-secure-preferences"; [](#%5F%5Fcodelineno-2-3) [](#%5F%5Fcodelineno-2-4)const login = async () => { [](#%5F%5Fcodelineno-2-5) const result = await Oauth.login({ [](#%5F%5Fcodelineno-2-6) issuerUrl: "https://accounts.google.com", [](#%5F%5Fcodelineno-2-7) clientId: "YOUR_CLIENT_ID", [](#%5F%5Fcodelineno-2-8) redirectUrl: "com.example.app://oauth/callback", [](#%5F%5Fcodelineno-2-9) scopes: ["openid", "profile", "email", "offline_access"], [](#%5F%5Fcodelineno-2-10) }); [](#%5F%5Fcodelineno-2-11) [](#%5F%5Fcodelineno-2-12) await SecurePreferences.set({ [](#%5F%5Fcodelineno-2-13) key: "tokens", [](#%5F%5Fcodelineno-2-14) value: JSON.stringify(result), [](#%5F%5Fcodelineno-2-15) }); [](#%5F%5Fcodelineno-2-16)}; ` ### Refreshing the access token[¶](#refreshing-the-access-token "Permanent link") Access tokens expire. Use the [refreshToken(...)](/docs/plugins/oauth/#refreshtoken) method to get a new one without requiring the user to log in again: `[](#%5F%5Fcodelineno-3-1)import { Oauth } from "@capawesome-team/capacitor-oauth"; [](#%5F%5Fcodelineno-3-2) [](#%5F%5Fcodelineno-3-3)const refreshToken = async () => { [](#%5F%5Fcodelineno-3-4) const result = await Oauth.refreshToken({ [](#%5F%5Fcodelineno-3-5) issuerUrl: "https://accounts.google.com", [](#%5F%5Fcodelineno-3-6) clientId: "YOUR_CLIENT_ID", [](#%5F%5Fcodelineno-3-7) refreshToken: "YOUR_REFRESH_TOKEN", [](#%5F%5Fcodelineno-3-8) }); [](#%5F%5Fcodelineno-3-9) [](#%5F%5Fcodelineno-3-10) console.log("New access token:", result.accessToken); [](#%5F%5Fcodelineno-3-11)}; ` ### Decoding the ID token[¶](#decoding-the-id-token "Permanent link") If you need to access the user's profile information from the ID token, use the [decodeIdToken(...)](/docs/plugins/oauth/#decodeidtoken) method: `[](#%5F%5Fcodelineno-4-1)import { Oauth } from "@capawesome-team/capacitor-oauth"; [](#%5F%5Fcodelineno-4-2) [](#%5F%5Fcodelineno-4-3)const decodeIdToken = async () => { [](#%5F%5Fcodelineno-4-4) const result = await Oauth.decodeIdToken({ [](#%5F%5Fcodelineno-4-5) token: "YOUR_ID_TOKEN", [](#%5F%5Fcodelineno-4-6) }); [](#%5F%5Fcodelineno-4-7) [](#%5F%5Fcodelineno-4-8) console.log("Subject:", result.payload.sub); [](#%5F%5Fcodelineno-4-9) console.log("Email:", result.payload.email); [](#%5F%5Fcodelineno-4-10) console.log("Name:", result.payload.name); [](#%5F%5Fcodelineno-4-11)}; ` This decodes the JWT token locally without sending it to a server. Note that this does not verify the token signature — for server-side validation, you should verify the token on your backend. ### Logging out[¶](#logging-out "Permanent link") End the user's session with the [logout(...)](/docs/plugins/oauth/#logout) method, which calls the provider's end-session endpoint: `[](#%5F%5Fcodelineno-5-1)import { Oauth } from "@capawesome-team/capacitor-oauth"; [](#%5F%5Fcodelineno-5-2) [](#%5F%5Fcodelineno-5-3)const logout = async () => { [](#%5F%5Fcodelineno-5-4) await Oauth.logout({ [](#%5F%5Fcodelineno-5-5) issuerUrl: "https://accounts.google.com", [](#%5F%5Fcodelineno-5-6) idToken: "YOUR_ID_TOKEN", [](#%5F%5Fcodelineno-5-7) postLogoutRedirectUrl: "com.example.app://oauth/logout", [](#%5F%5Fcodelineno-5-8) }); [](#%5F%5Fcodelineno-5-9)}; ` ### Checking token state[¶](#checking-token-state "Permanent link") The plugin also provides utility methods to check the state of your tokens without additional logic on your side: `[](#%5F%5Fcodelineno-6-1)import { Oauth } from "@capawesome-team/capacitor-oauth"; [](#%5F%5Fcodelineno-6-2) [](#%5F%5Fcodelineno-6-3)const checkTokenState = async ( [](#%5F%5Fcodelineno-6-4) accessToken: string, [](#%5F%5Fcodelineno-6-5) accessTokenExpirationDate: number, [](#%5F%5Fcodelineno-6-6) refreshToken: string [](#%5F%5Fcodelineno-6-7)) => { [](#%5F%5Fcodelineno-6-8) const { isAvailable } = await Oauth.isAccessTokenAvailable({ [](#%5F%5Fcodelineno-6-9) accessToken, [](#%5F%5Fcodelineno-6-10) }); [](#%5F%5Fcodelineno-6-11) const { isExpired } = await Oauth.isAccessTokenExpired({ [](#%5F%5Fcodelineno-6-12) accessTokenExpirationDate, [](#%5F%5Fcodelineno-6-13) }); [](#%5F%5Fcodelineno-6-14) const { isAvailable: isRefreshAvailable } = [](#%5F%5Fcodelineno-6-15) await Oauth.isRefreshTokenAvailable({ [](#%5F%5Fcodelineno-6-16) refreshToken, [](#%5F%5Fcodelineno-6-17) }); [](#%5F%5Fcodelineno-6-18) [](#%5F%5Fcodelineno-6-19) console.log("Access token available:", isAvailable); [](#%5F%5Fcodelineno-6-20) console.log("Access token expired:", isExpired); [](#%5F%5Fcodelineno-6-21) console.log("Refresh token available:", isRefreshAvailable); [](#%5F%5Fcodelineno-6-22)}; ` ## FAQ[¶](#faq "Permanent link") ##### How does this compare to Ionic Auth Connect?[¶](#how-does-this-compare-to-ionic-auth-connect "Permanent link") The Capawesome [OAuth](/docs/plugins/oauth/) plugin covers the core authentication functionality that most teams need: OAuth 2.0 and OpenID Connect flows with PKCE, token refresh, and multi-provider support across all platforms. With Ionic [discontinuing sales of its commercial products](https://ionic.io/blog/important-announcement-the-future-of-ionics-commercial-products), including Auth Connect, the Capawesome OAuth plugin provides a maintained and actively supported alternative for Capacitor applications. ##### Which providers are supported?[¶](#which-providers-are-supported "Permanent link") The plugin works with any OAuth 2.0 or OpenID Connect compliant provider. This includes Auth0, Azure AD (Microsoft Entra ID), Amazon Cognito, Okta, OneLogin, Google, and any other provider that follows the standard. ##### Is this plugin a fork of another plugin?[¶](#is-this-plugin-a-fork-of-another-plugin "Permanent link") No. The Capawesome [OAuth](/docs/plugins/oauth/) plugin was built from the ground up with a focus on security, reliability, and ease of use. We implemented the PKCE flow natively on Android and iOS, and designed the API to be consistent across all platforms. The web implementation uses the standard redirect flow for maximum compatibility. ##### Can I store tokens securely?[¶](#can-i-store-tokens-securely "Permanent link") Yes. The plugin is designed to work with the [Secure Preferences](/docs/plugins/secure-preferences/) plugin, which provides encrypted key-value storage on Android and iOS. This lets you persist tokens between app sessions without exposing them in plain text. ## Conclusion[¶](#conclusion "Permanent link") The [OAuth](/docs/plugins/oauth/) plugin gives you a straightforward way to add OAuth 2.0 and OpenID Connect authentication to your Capacitor apps. It handles the complexity of PKCE flows, provider discovery, and token management so you can focus on building your application. Explore the complete [API Reference](/docs/plugins/oauth/#api) to see all available methods and options. Have suggestions for new features? [Create a feature request](https://github.com/capawesome-team/capacitor-plugins/issues/new/choose) in our [GitHub repository](https://github.com/capawesome-team/capacitor-plugins). Stay connected with us on [X](https://x.com/capawesomeio) and subscribe to our [newsletter](/newsletter/) for the latest updates and announcements. May 8, 2026 Back to top