The three OAuth modes

Pick the mode that matches your branding and trust requirements. You can change later — modes are configured per-app.

Mode A — Shared (Tanvrit-managed)

Default for first-party platforms (wedding, swyft, …) and any third party that doesn't care about consent-screen branding. The provider's consent screen reads "Tanvrit".

OAuth client: Tanvrit owns and registers a single OAuth app per provider (Google / Apple / Facebook / GitHub).
Redirect URI: https://api.tanvrit.com/api/v1/auth/<provider>/callback
State: your appId rides on the OAuth state parameter so the callback knows which tenant you are.
Setup: zero. Your app already works in this mode — every platform on day-one is Mode A.

Mode B — BYO (Bring Your Own)

For tenants who want their own brand on the Google / Apple / Facebook / GitHub consent screen. Most B2B SaaS, white-label deployments, and any partner who's already on these platforms with their own developer account.

OAuth client: you register your own OAuth app at Google Cloud Console / Apple Developer / Meta / GitHub.
Redirect URI: a URL you own on your domain (e.g. https://wedding.example.com/auth/callback).
Credentials: paste client_id, client_secret, and the redirect_uri(s) into the developer portal. Stored AES-256-GCM-encrypted at rest.
Native flow: your SDK calls Google's native sign-in with your client_id; consent shows your brand. The resulting idToken is forwarded to POST /api/v1/auth/google on Tanvrit; the server verifies the audience matches your stored client_id, then mints a Tanvrit session scoped to your appId.
Redirect flow (web apps): the SDK redirects the user to Google with your client_id + redirect_uri; Google redirects back to your URL with code; your app forwards code to POST /api/v1/auth/google with redirect_uri in the body; the server uses your stored client_secret to complete the exchange.

Mode C — Sign in with Tanvrit (OIDC IdP)

For third parties who want zero-setup auth and cross-Tanvrit SSO. Tanvrit becomes your Identity Provider — your users see Tanvrit's login screen, but the resulting identity is yours to consume via standard OIDC.

OAuth client: register your relying party in the Tanvrit developer portal. You'll be issued a client_id and (for confidential clients) a client_secret.
Redirect URI: a URL you own. Listed on your client config — exact-match allowlist enforced at every authorize request.
Discovery: https://api.tanvrit.com/.well-known/openid-configuration — drop into any OIDC library (passport-openidconnect, oauth4webapi, our SignInWithTanvrit helper, …).
Login UX: if your user isn't yet authenticated to Tanvrit, they're sent to /oauth/login for a phone-OTP login, then bounced back to /oauth/authorize with their session cookie.
SSO: a user already signed in to one Tanvrit-using app gets one-click consent for any other Tanvrit-using app.

How to choose

	Mode A	Mode B	Mode C
Who runs the OAuth client?	Tanvrit	You	You (against Tanvrit IdP)
Who's on the consent screen?	Tanvrit	You	Tanvrit (you authorize from your own UI)
Setup work	None	Per-provider OAuth registration + paste creds	Register one OIDC client
Cross-Tanvrit SSO	—	—	✓
Best for	First-party apps, dev / staging	White-label, branded SaaS	Third-party apps, partners

Next: Sign in with Tanvrit (Mode C) — full guide