--- description: Capacitor plugin for OAuth 2.0 and OpenID Connect with PKCE, token refresh, and provider discovery. Available for Android, iOS, Web. title: Capacitor OAuth Plugin for Android, iOS & Web - Capawesome image: https://capawesome.io/docs/assets/images/social/plugins/oauth.png --- [ Skip to content](#capawesome-teamcapacitor-oauth) [ πŸŽ‰ Introducing **Capawesome Platform** β€” one platform for Live Updates, Native Builds, App Store Publishing, and Insider SDKs.](https://capawesome.io) * [ Formbricks ](/docs/plugins/formbricks/) * [ Geocoder ](/docs/plugins/geocoder/) * [ Google Sign-In ](/docs/plugins/google-sign-in/) * [ libSQL ](/docs/plugins/libsql/) * [ Live Update ](/docs/plugins/live-update/) * [ Managed Configurations ](/docs/plugins/managed-configurations/) * [ Media Session ](/docs/plugins/media-session/) * [ ML Kit ](/docs/plugins/mlkit/) * [ NFC ](/docs/plugins/nfc/) * OAuth [ OAuth ](/docs/plugins/oauth/) * [ Usage ](#usage) * [ API ](#api) * [ Type Aliases ](#type-aliases) * [ Changelog ](#changelog) * [ Breaking Changes ](#breaking-changes) * [ License ](#license) * [ Pedometer ](/docs/plugins/pedometer/) * [ Photo Editor ](/docs/plugins/photo-editor/) * [ PostHog ](/docs/plugins/posthog/) * [ Printer ](/docs/plugins/printer/) * [ Purchases ](/docs/plugins/purchases/) * [ RealtimeKit ](/docs/plugins/realtimekit/) * [ Screen Orientation ](/docs/plugins/screen-orientation/) * [ Screenshot ](/docs/plugins/screenshot/) * [ Secure Preferences ](/docs/plugins/secure-preferences/) * [ Speech Recognition ](/docs/plugins/speech-recognition/) * [ Speech Synthesis ](/docs/plugins/speech-synthesis/) * [ Share Target ](/docs/plugins/share-target/) * [ Square Mobile Payments ](/docs/plugins/square-mobile-payments/) * [ SQLite ](/docs/plugins/sqlite/) * [ Superwall ](/docs/plugins/superwall/) * [ Torch ](/docs/plugins/torch/) * [ Wifi ](/docs/plugins/wifi/) * [ Zip ](/docs/plugins/zip/) * [ Cloud ](/docs/cloud/) * [ Live Updates ](/docs/cloud/live-updates/) * Advanced * Integrations * [ Native Builds ](/docs/cloud/native-builds/) * [ Configuration ](/docs/cloud/native-builds/configuration/) * [ Environments ](/docs/cloud/native-builds/environments/) * Guides * [ Sample Projects ](/docs/cloud/native-builds/sample-projects/) * [ Troubleshooting ](/docs/cloud/native-builds/troubleshooting/) * [ Automations ](/docs/cloud/automations/) * [ Assist ](/docs/cloud/assist/) * Account * Organizations * [ Organization and User Management ](/docs/cloud/organizations/memberships/) * [ Single Sign-On (SSO) ](/docs/cloud/organizations/sso/) * [ Teams ](/docs/cloud/organizations/teams/) * [ Two-Factor Authentication ](/docs/cloud/organizations/two-factor-authentication/) * [ Integrations ](/docs/cloud/integrations/) * [ License Keys ](/docs/cloud/license-keys/) * [ Webhooks ](/docs/cloud/webhooks/) * [ Pricing ](https://capawesome.io/pricing/) * [ FAQ ](/docs/cloud/faq/) * [ Support ](/docs/cloud/support/) * [ Contributing ](/docs/contributing/) * [ LLMs ](/docs/llms/) * [ Insiders ](/docs/insiders/) * [ License ](https://capawesome.io/legal/eula/) * [ Support ](/docs/insiders/support/) * [ FAQ ](/docs/insiders/faq/) * [ Blog ](/blog/) * Categories * [ Usage ](#usage) * [ API ](#api) * [ Type Aliases ](#type-aliases) * [ Changelog ](#changelog) * [ Breaking Changes ](#breaking-changes) * [ License ](#license) # @capawesome-team/capacitor-oauth[ΒΆ](#capawesome-teamcapacitor-oauth "Permanent link") Capacitor plugin for communicating with OAuth 2.0 and OpenID Connect providers. [ ![Deliver Live Updates to your Capacitor app with Capawesome Cloud](../../assets/external/cloud.capawesome.io/assets/banners/cloud-build-and-deploy-capacitor-apps.69628c3f.png) ](https://cloud.capawesome.io/) ## Features[ΒΆ](#features "Permanent link") We are proud to offer one of the most complete and feature-rich Capacitor plugins for OAuth. Here are some of the key features: * πŸ–₯️ **Cross-platform**: Supports Android, iOS and Web. * 🌐 **Providers**: Works with any OAuth 2.0 / OpenID Connect provider, including Auth0, Azure AD, Amazon Cognito, Okta and OneLogin. * πŸ” **PKCE**: Implements the Authorization Code flow with Proof Key for Code Exchange (PKCE). * πŸ” **Auto-discovery**: Automatically fetches endpoints via OpenID Connect discovery. * πŸ”„ **Token Refresh**: Refresh access tokens using a refresh token. * πŸͺͺ **JWT Decoding**: Decode JWT ID tokens without verification. * πŸͺΆ **Lightweight**: Just a single dependency and zero unnecessary bloat. * 🀝 **Compatibility**: Compatible with the [Secure Preferences](https://capawesome.io/docs/plugins/secure-preferences/) plugin to securely store tokens. * πŸ“¦ **CocoaPods & SPM**: Supports CocoaPods and Swift Package Manager for iOS. * πŸ” **Up-to-date**: Always supports the latest Capacitor version. * ⭐️ **Support**: Priority support from the Capawesome Team. * ✨ **Handcrafted**: Built from the ground up with care and expertise, not forked or AI-generated. Missing a feature? Just [open an issue](https://github.com/capawesome-team/capacitor-plugins/issues) and we'll take a look! ## Newsletter[ΒΆ](#newsletter "Permanent link") Stay up to date with the latest news and updates about the Capawesome, Capacitor, and Ionic ecosystem by subscribing to our [Capawesome Newsletter](https://cloud.capawesome.io/newsletter/). ## Compatibility[ΒΆ](#compatibility "Permanent link") | Plugin Version | Capacitor Version | Status | | -------------- | ----------------- | -------------- | | 0.1.x | \>=8.x.x | Active support | ## Demo[ΒΆ](#demo "Permanent link") | Android | iOS | Web | | ------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | ![Android Demo](../../assets/external/github.com/user-attachments/assets/95ec6fe8-ba1d-4be0-898d-6b63a9170347.gif) | ![iOS Demo](../../assets/external/github.com/user-attachments/assets/0f06193f-15c5-4c72-a3dd-ada5163ce3eb.gif) | ![Web Demo](../../assets/external/github.com/user-attachments/assets/267c8536-2c83-455a-ab8f-76ed99011ba1.gif) | ## Guides[ΒΆ](#guides "Permanent link") * [Announcing the Capacitor OAuth Plugin](https://capawesome.io/blog/announcing-the-capacitor-oauth-plugin/) * [How to Use Better Auth in Capacitor Apps](https://capawesome.io/blog/how-to-use-better-auth-in-capacitor-apps/) * [How to Sign in with Okta using Capacitor](https://capawesome.io/blog/how-to-sign-in-with-okta-using-capacitor/) * [How to Sign in with Auth0 using Capacitor](https://capawesome.io/blog/how-to-sign-in-with-auth0-using-capacitor/) * [How to Sign in with Azure Entra ID using Capacitor](https://capawesome.io/blog/how-to-sign-in-with-azure-entra-id-using-capacitor/) * [Alternatives to Ionic Enterprise Plugins](https://capawesome.io/blog/alternatives-to-ionic-enterprise-plugins/) ## Installation[ΒΆ](#installation "Permanent link") This plugin is only available to [Capawesome Insiders](https://capawesome.io/insiders/). First, make sure you have the Capawesome npm registry set up. You can do this by running the following commands: `[](#%5F%5Fcodelineno-0-1)npm config set @capawesome-team:registry https://npm.registry.capawesome.io [](#%5F%5Fcodelineno-0-2)npm config set //npm.registry.capawesome.io/:_authToken ` **Attention**: Replace `` with the license key you received from Polar. If you don't have a license key yet, you can get one by becoming a [Capawesome Insider](https://capawesome.io/insiders/). Next, you can use our **AI-Assisted Setup** to install the plugin. Add the [Capawesome Skills](https://github.com/capawesome-team/skills) to your AI tool using the following command: `[](#%5F%5Fcodelineno-1-1)npx skills add capawesome-team/skills --skill capacitor-plugins ` Then use the following prompt: `` [](#%5F%5Fcodelineno-2-1)Use the `capacitor-plugins` skill from `capawesome-team/skills` to install the `@capawesome-team/capacitor-oauth` plugin in my project. `` If you prefer **Manual Setup**, install the plugin by running the following commands and follow the platform-specific instructions below: `[](#%5F%5Fcodelineno-3-1)npm install @capawesome-team/capacitor-oauth [](#%5F%5Fcodelineno-3-2)npx cap sync ` ### Android[ΒΆ](#android "Permanent link") #### Variables[ΒΆ](#variables "Permanent link") This plugin will use the following project variables (defined in your app's `variables.gradle` file): * `$appAuthVersion` version of `net.openid:appauth` (default: `0.11.1`) #### Redirect Scheme[ΒΆ](#redirect-scheme "Permanent link") Add the following to your app's `build.gradle` file to configure the redirect scheme used by AppAuth: `[](#%5F%5Fcodelineno-4-1)android { [](#%5F%5Fcodelineno-4-2) defaultConfig { [](#%5F%5Fcodelineno-4-3) manifestPlaceholders = [appAuthRedirectScheme: "com.example.app"] [](#%5F%5Fcodelineno-4-4) } [](#%5F%5Fcodelineno-4-5)} ` Replace `com.example.app` with the scheme of your redirect URI. #### Proguard[ΒΆ](#proguard "Permanent link") If you are using Proguard, you need to add the following rules to your `proguard-rules.pro` file: `[](#%5F%5Fcodelineno-5-1)-keep class io.capawesome.capacitorjs.plugins.** { *; } ` ## Usage[ΒΆ](#usage "Permanent link") `[](#%5F%5Fcodelineno-6-1)import { Oauth } from '@capawesome-team/capacitor-oauth'; [](#%5F%5Fcodelineno-6-2)import { SecurePreferences } from '@capawesome-team/capacitor-secure-preferences'; [](#%5F%5Fcodelineno-6-3)import { Capacitor } from '@capacitor/core'; [](#%5F%5Fcodelineno-6-4) [](#%5F%5Fcodelineno-6-5)const login = async () => { [](#%5F%5Fcodelineno-6-6) // Sign in the user [](#%5F%5Fcodelineno-6-7) const result = await Oauth.login({ [](#%5F%5Fcodelineno-6-8) issuerUrl: 'https://accounts.google.com', [](#%5F%5Fcodelineno-6-9) clientId: 'YOUR_CLIENT_ID', [](#%5F%5Fcodelineno-6-10) redirectUrl: 'com.example.app://oauth/callback', [](#%5F%5Fcodelineno-6-11) scopes: ['openid', 'profile', 'email', 'offline_access'], [](#%5F%5Fcodelineno-6-12) }); [](#%5F%5Fcodelineno-6-13) console.log('Access token:', result.accessToken); [](#%5F%5Fcodelineno-6-14) console.log('ID token:', result.idToken); [](#%5F%5Fcodelineno-6-15) console.log('Refresh token:', result.refreshToken); [](#%5F%5Fcodelineno-6-16) // Store the tokens securely [](#%5F%5Fcodelineno-6-17) await SecurePreferences.set({ [](#%5F%5Fcodelineno-6-18) key: 'tokens', [](#%5F%5Fcodelineno-6-19) value: JSON.stringify(result), [](#%5F%5Fcodelineno-6-20) }); [](#%5F%5Fcodelineno-6-21)}; [](#%5F%5Fcodelineno-6-22) [](#%5F%5Fcodelineno-6-23)const handleRedirectCallback = async () => { [](#%5F%5Fcodelineno-6-24) if (Capacitor.getPlatform() !== 'web') { [](#%5F%5Fcodelineno-6-25) return; [](#%5F%5Fcodelineno-6-26) } [](#%5F%5Fcodelineno-6-27) // Handle the redirect callback on web [](#%5F%5Fcodelineno-6-28) const result = await Oauth.handleRedirectCallback(); [](#%5F%5Fcodelineno-6-29) console.log('Access token:', result.accessToken); [](#%5F%5Fcodelineno-6-30)}; [](#%5F%5Fcodelineno-6-31) [](#%5F%5Fcodelineno-6-32)const refreshToken = async () => { [](#%5F%5Fcodelineno-6-33) const result = await Oauth.refreshToken({ [](#%5F%5Fcodelineno-6-34) issuerUrl: 'https://accounts.google.com', [](#%5F%5Fcodelineno-6-35) clientId: 'YOUR_CLIENT_ID', [](#%5F%5Fcodelineno-6-36) refreshToken: 'YOUR_REFRESH_TOKEN', [](#%5F%5Fcodelineno-6-37) }); [](#%5F%5Fcodelineno-6-38) console.log('New access token:', result.accessToken); [](#%5F%5Fcodelineno-6-39)}; [](#%5F%5Fcodelineno-6-40) [](#%5F%5Fcodelineno-6-41)const logout = async () => { [](#%5F%5Fcodelineno-6-42) await Oauth.logout({ [](#%5F%5Fcodelineno-6-43) issuerUrl: 'https://accounts.google.com', [](#%5F%5Fcodelineno-6-44) idToken: 'YOUR_ID_TOKEN', [](#%5F%5Fcodelineno-6-45) postLogoutRedirectUrl: 'com.example.app://oauth/logout', [](#%5F%5Fcodelineno-6-46) }); [](#%5F%5Fcodelineno-6-47)}; [](#%5F%5Fcodelineno-6-48) [](#%5F%5Fcodelineno-6-49)const decodeIdToken = async () => { [](#%5F%5Fcodelineno-6-50) const result = await Oauth.decodeIdToken({ [](#%5F%5Fcodelineno-6-51) token: 'YOUR_ID_TOKEN', [](#%5F%5Fcodelineno-6-52) }); [](#%5F%5Fcodelineno-6-53) console.log('Payload:', result.payload); [](#%5F%5Fcodelineno-6-54)}; ` ## API[ΒΆ](#api "Permanent link") * [decodeIdToken(...)](#decodeidtoken) * [getAccessTokenExpirationDate(...)](#getaccesstokenexpirationdate) * [isAccessTokenAvailable(...)](#isaccesstokenavailable) * [isAccessTokenExpired(...)](#isaccesstokenexpired) * [isRefreshTokenAvailable(...)](#isrefreshtokenavailable) * [handleRedirectCallback()](#handleredirectcallback) * [login(...)](#login) * [logout(...)](#logout) * [refreshToken(...)](#refreshtoken) * [Interfaces](#interfaces) * [Type Aliases](#type-aliases) ### decodeIdToken(...)[ΒΆ](#decodeidtoken "Permanent link") `[](#%5F%5Fcodelineno-7-1)decodeIdToken(options: DecodeIdTokenOptions) => Promise ` Decode a JWT ID token without verification. | Param | Type | | ----------- | --------------------------------------------- | | **options** | [DecodeIdTokenOptions](#decodeidtokenoptions) | **Returns:** `Promise<[DecodeIdTokenResult](#decodeidtokenresult)>` **Since:** 0.1.0 --- ### getAccessTokenExpirationDate(...)[ΒΆ](#getaccesstokenexpirationdate "Permanent link") `[](#%5F%5Fcodelineno-8-1)getAccessTokenExpirationDate(options: GetAccessTokenExpirationDateOptions) => Promise ` Get the access token expiration date as an ISO 8601 string. | Param | Type | | ----------- | --------------------------------------------------------------------------- | | **options** | [GetAccessTokenExpirationDateOptions](#getaccesstokenexpirationdateoptions) | **Returns:** `Promise<[GetAccessTokenExpirationDateResult](#getaccesstokenexpirationdateresult)>` **Since:** 0.1.0 --- ### isAccessTokenAvailable(...)[ΒΆ](#isaccesstokenavailable "Permanent link") `[](#%5F%5Fcodelineno-9-1)isAccessTokenAvailable(options: IsAccessTokenAvailableOptions) => Promise ` Check if an access token is available (non-null and non-empty). | Param | Type | | ----------- | --------------------------------------------------------------- | | **options** | [IsAccessTokenAvailableOptions](#isaccesstokenavailableoptions) | **Returns:** `Promise<[IsAccessTokenAvailableResult](#isaccesstokenavailableresult)>` **Since:** 0.1.0 --- ### isAccessTokenExpired(...)[ΒΆ](#isaccesstokenexpired "Permanent link") `[](#%5F%5Fcodelineno-10-1)isAccessTokenExpired(options: IsAccessTokenExpiredOptions) => Promise ` Check if the access token has expired. | Param | Type | | ----------- | ----------------------------------------------------------- | | **options** | [IsAccessTokenExpiredOptions](#isaccesstokenexpiredoptions) | **Returns:** `Promise<[IsAccessTokenExpiredResult](#isaccesstokenexpiredresult)>` **Since:** 0.1.0 --- ### isRefreshTokenAvailable(...)[ΒΆ](#isrefreshtokenavailable "Permanent link") `[](#%5F%5Fcodelineno-11-1)isRefreshTokenAvailable(options: IsRefreshTokenAvailableOptions) => Promise ` Check if a refresh token is available (non-null and non-empty). | Param | Type | | ----------- | ----------------------------------------------------------------- | | **options** | [IsRefreshTokenAvailableOptions](#isrefreshtokenavailableoptions) | **Returns:** `Promise<[IsRefreshTokenAvailableResult](#isrefreshtokenavailableresult)>` **Since:** 0.1.0 --- ### handleRedirectCallback()[ΒΆ](#handleredirectcallback "Permanent link") `[](#%5F%5Fcodelineno-12-1)handleRedirectCallback() => Promise ` Handle the redirect callback after a login or logout redirect on the web. Call this method on page load when the URL contains authorization response parameters. Only available on Web. **Returns:** `Promise<[LoginResult](#loginresult)>` **Since:** 0.1.0 --- ### login(...)[ΒΆ](#login "Permanent link") `[](#%5F%5Fcodelineno-13-1)login(options: LoginOptions) => Promise ` Start an OAuth 2.0 authorization code flow with PKCE. | Param | Type | | ----------- | ----------------------------- | | **options** | [LoginOptions](#loginoptions) | **Returns:** `Promise<[LoginResult](#loginresult)>` **Since:** 0.1.0 --- ### logout(...)[ΒΆ](#logout "Permanent link") `[](#%5F%5Fcodelineno-14-1)logout(options: LogoutOptions) => Promise ` End the OAuth session by calling the end-session endpoint. Note that some providers (e.g. Microsoft Entra ID) may not redirect back to the app after logout and instead show a "You have signed out" page. In this case, the user has to close the browser manually which results in a `USER_CANCELED` error even though the logout was successful. | Param | Type | | ----------- | ------------------------------- | | **options** | [LogoutOptions](#logoutoptions) | **Since:** 0.1.0 --- ### refreshToken(...)[ΒΆ](#refreshtoken "Permanent link") `[](#%5F%5Fcodelineno-15-1)refreshToken(options: RefreshTokenOptions) => Promise ` Refresh the access token using a refresh token. | Param | Type | | ----------- | ------------------------------------------- | | **options** | [RefreshTokenOptions](#refreshtokenoptions) | **Returns:** `Promise<[LoginResult](#loginresult)>` **Since:** 0.1.0 --- ### Interfaces[ΒΆ](#interfaces "Permanent link") #### DecodeIdTokenResult[ΒΆ](#decodeidtokenresult "Permanent link") | Prop | Type | Description | Since | | ----------- | ----------------------- | ---------------------------------------------- | ----- | | **header** | Record | The decoded JWT header. | 0.1.0 | | **payload** | Record | The decoded JWT payload containing the claims. | 0.1.0 | #### DecodeIdTokenOptions[ΒΆ](#decodeidtokenoptions "Permanent link") | Prop | Type | Description | Since | | --------- | ------ | ---------------------------------- | ----- | | **token** | string | The JWT ID token string to decode. | 0.1.0 | #### GetAccessTokenExpirationDateResult[ΒΆ](#getaccesstokenexpirationdateresult "Permanent link") | Prop | Type | Description | Since | | -------- | ------ | ------------------------------------------------------- | ----- | | **date** | string | The access token expiration date as an ISO 8601 string. | 0.1.0 | #### GetAccessTokenExpirationDateOptions[ΒΆ](#getaccesstokenexpirationdateoptions "Permanent link") | Prop | Type | Description | Since | | ----------------------------- | ------ | ------------------------------------------------------- | ----- | | **accessTokenExpirationDate** | number | The access token expiration date in epoch milliseconds. | 0.1.0 | #### IsAccessTokenAvailableResult[ΒΆ](#isaccesstokenavailableresult "Permanent link") | Prop | Type | Description | Since | | --------------- | ------- | --------------------------------------------------- | ----- | | **isAvailable** | boolean | Whether the access token is non-null and non-empty. | 0.1.0 | #### IsAccessTokenAvailableOptions[ΒΆ](#isaccesstokenavailableoptions "Permanent link") | Prop | Type | Description | Since | | --------------- | ------ | -------------------------- | ----- | | **accessToken** | string | The access token to check. | 0.1.0 | #### IsAccessTokenExpiredResult[ΒΆ](#isaccesstokenexpiredresult "Permanent link") | Prop | Type | Description | Since | | ------------- | ------- | ------------------------------------- | ----- | | **isExpired** | boolean | Whether the access token has expired. | 0.1.0 | #### IsAccessTokenExpiredOptions[ΒΆ](#isaccesstokenexpiredoptions "Permanent link") | Prop | Type | Description | Since | | ----------------------------- | ------ | ------------------------------------------------------- | ----- | | **accessTokenExpirationDate** | number | The access token expiration date in epoch milliseconds. | 0.1.0 | #### IsRefreshTokenAvailableResult[ΒΆ](#isrefreshtokenavailableresult "Permanent link") | Prop | Type | Description | Since | | --------------- | ------- | ---------------------------------------------------- | ----- | | **isAvailable** | boolean | Whether the refresh token is non-null and non-empty. | 0.1.0 | #### IsRefreshTokenAvailableOptions[ΒΆ](#isrefreshtokenavailableoptions "Permanent link") | Prop | Type | Description | Since | | ---------------- | ------ | --------------------------- | ----- | | **refreshToken** | string | The refresh token to check. | 0.1.0 | #### LoginResult[ΒΆ](#loginresult "Permanent link") | Prop | Type | Description | Since | | ----------------------------- | ------ | ------------------------------------------------------- | ----- | | **accessToken** | string | The access token. | 0.1.0 | | **accessTokenExpirationDate** | number | The access token expiration date in epoch milliseconds. | 0.1.0 | | **idToken** | string | The JWT ID token (OpenID Connect). | 0.1.0 | | **refreshToken** | string | The refresh token. | 0.1.0 | | **scope** | string | The granted scopes as a space-delimited string. | 0.1.0 | | **tokenType** | string | The token type. | 0.1.0 | #### LoginOptions[ΒΆ](#loginoptions "Permanent link") | Prop | Type | Description | Default | Since | | ------------------------------------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | ----- | | **additionalParameters** | Record | Additional parameters to include in the authorization request. | 0.1.0 | | | **authorizationEndpoint** | string | The authorization endpoint URL. Either issuerUrl or both authorizationEndpoint and tokenEndpoint must be provided. | 0.1.0 | | | **clientId** | string | The OAuth client ID. | 0.1.0 | | | **issuerUrl** | string | The OpenID Connect issuer URL for auto-discovery. The plugin will fetch the OpenID Connect discovery document from {issuerUrl}/.well-known/openid-configuration to obtain the authorization and token endpoint URLs. Either issuerUrl or both authorizationEndpoint and tokenEndpoint must be provided. | 0.1.0 | | | **loginHint** | string | A hint to the authorization server about the user's identifier to pre-fill the login form. | 0.1.0 | | | **prefersEphemeralWebBrowserSession** | boolean | Whether the authentication session should use an ephemeral web browser session. If true, the session will not share cookies or other browsing data with the user's regular browser session. As a side effect, the system consent dialog (e.g. "...wants to use 'example.com' to Sign In") is not shown. Only available on iOS. | false | 0.1.5 | | **prompt** | string | The prompt parameter to control the authorization server UI behavior. | 0.1.0 | | | **redirectUrl** | string | The redirect URI to use after authentication. | 0.1.0 | | | **scopes** | string\[\] | The OAuth scopes to request. | 0.1.0 | | | **tokenEndpoint** | string | The token endpoint URL. Either issuerUrl or both authorizationEndpoint and tokenEndpoint must be provided. | 0.1.0 | | | **uiLocales** | string\[\] | The end-user's preferred languages for the authorization server UI, as an ordered list of BCP47 language tags. | 0.1.4 | | #### LogoutOptions[ΒΆ](#logoutoptions "Permanent link") | Prop | Type | Description | Default | Since | | ------------------------------------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ----- | | **additionalParameters** | Record | Additional parameters to include in the end-session request. | 0.1.0 | | | **endSessionEndpoint** | string | The end-session endpoint URL. Either issuerUrl or endSessionEndpoint must be provided. | 0.1.0 | | | **idToken** | string | The ID token hint for session identification. | 0.1.0 | | | **issuerUrl** | string | The OpenID Connect issuer URL used to fetch the discovery document at {issuerUrl}/.well-known/openid-configuration. Either issuerUrl or endSessionEndpoint must be provided. | 0.1.0 | | | **postLogoutRedirectUrl** | string | The redirect URI to use after logout. | 0.1.0 | | | **prefersEphemeralWebBrowserSession** | boolean | Whether the authentication session should use an ephemeral web browser session. If true, the session will not share cookies or other browsing data with the user's regular browser session. As a side effect, the system consent dialog (e.g. "...wants to use 'example.com' to Sign Out") is not shown. Only available on iOS. | false | 0.1.5 | #### RefreshTokenOptions[ΒΆ](#refreshtokenoptions "Permanent link") | Prop | Type | Description | Since | | ------------------------ | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | | **issuerUrl** | string | The OpenID Connect issuer URL used to fetch the discovery document at {issuerUrl}/.well-known/openid-configuration. Either issuerUrl or tokenEndpoint must be provided. | 0.1.0 | | **tokenEndpoint** | string | The token endpoint URL. Either issuerUrl or tokenEndpoint must be provided. | 0.1.0 | | **clientId** | string | The OAuth client ID. | 0.1.0 | | **refreshToken** | string | The refresh token obtained from login. | 0.1.0 | | **additionalParameters** | Record | Additional parameters to include in the token refresh request. | 0.1.0 | ### Type Aliases[ΒΆ](#type-aliases "Permanent link") #### HandleRedirectCallbackResult[ΒΆ](#handleredirectcallbackresult "Permanent link") `[LoginResult](#loginresult)` #### RefreshTokenResult[ΒΆ](#refreshtokenresult "Permanent link") `[LoginResult](#loginresult)` ## Changelog[ΒΆ](#changelog "Permanent link") See [CHANGELOG.md](https://github.com/capawesome-team/capacitor-plugins/blob/main/packages/oauth/CHANGELOG.md). ## Breaking Changes[ΒΆ](#breaking-changes "Permanent link") See [BREAKING.md](https://github.com/capawesome-team/capacitor-plugins/blob/main/packages/oauth/BREAKING.md). ## License[ΒΆ](#license "Permanent link") See [LICENSE](https://github.com/capawesome-team/capacitor-plugins/blob/main/packages/oauth/LICENSE). May 17, 2026 Back to top