Lamba

Choose this when

Use this path when your Project needs customer sign-in through external providers such as Google or Apple while keeping the same Lamba User, Project membership, session, and audit model used by password and OIDC flows.

Before you start

Social login is an authentication method, not a separate account system. A provider account links to one global Lamba User, and runtime access still depends on Project membership and Project roles.

Get credentials from Console

Credentials and configuration values
Value	Console source	Env var	Used for
Provider client ID	Integration > Runtime Auth > Social providers	`PROVIDER_CLIENT_ID`	Provider OAuth/OIDC app registration for the selected environment
Provider client secretSecret	Integration > Runtime Auth > Social providers	`PROVIDER_CLIENT_SECRET`	Provider callback exchange managed by Lamba
Lamba callback URL	Integration > Runtime Auth > Social providers	`PROVIDER_REDIRECT_URI`	Redirect URL to register in the provider console
Project and environment	Top Project selector and environment badge	`LAMBA_PROJECT_ID and LAMBA_ENV`	Keeps provider setup isolated by Project and environment

Configure environment variables

Most provider credentials are stored in the Lamba console. Your product usually needs only the auth host and the provider key it wants to start:

LAMBA_CUSTOMER_AUTH_BASE=https://test.id.uselamba.com
LAMBA_SOCIAL_PROVIDER=google

Make the first request

Start login by redirecting to the provider start route for the configured provider.

GEThttps://test.id.uselamba.com/v1/auth/login/social/{provider}/start

Auth: None for the browser redirect
Used for: Starts provider login for the selected Project environment

After the provider completes, Lamba handles the callback and returns the customer into the normal session flow. Read authorization before showing privileged UI:

curl "$LAMBA_CUSTOMER_API_BASE/v1/me/authorization" \
  -H "Authorization: Bearer $CUSTOMER_SESSION_TOKEN"

Request fields

Request and response fields
Field	Type	Required	Meaning	Notes
`provider`	path string	Required	Social provider key, such as `google` or `apple`.	-
`returnTo`	URI	Optional	Product URL to return to after the social flow completes.	Use only trusted product URLs.
`state`	string	Conditional	Opaque flow binding value when your client owns state tracking.	-

Response fields

Social login ends in the same session contract as other Lamba login methods.

Request and response fields
Field	Type	Required	Meaning	Notes
`access_token`	string	Required	Customer session access token when the flow completes.	-
`refresh_token`	string	Required	Refresh credential for the customer session.	-
`socialProviders`	array	Required	Provider connection status returned by `/v1/me/linked-identities`.	Use this to show connected/unavailable provider state.

Done when

The provider is enabled only for the intended Project environment.
The provider console redirect URL matches the Lamba callback URL.
A social login returns a normal Lamba customer session.
`/v1/me/linked-identities` shows the provider connection state.
Your UI handles provider ownership conflicts without silently reassigning accounts.

Troubleshooting

Symptom	Likely cause	Fix
Provider button is unavailable	Provider is disabled or runtime OAuth setup is incomplete	Review `Integration > Runtime Auth > Social providers` for the selected environment
Callback fails	Provider redirect URL does not match Lamba's callback URL	Copy the exact callback URL into the provider console
User cannot link provider	The same provider subject is already owned by another Lamba User	Show a conflict and ask the user to sign in with the owning account
User signs in but lacks access	Social login created identity but Project membership is missing	Add or invite the Project member and read `/v1/me/authorization`

OAuth/OIDC Security: /docs/reference/oauth-oidc-security
Identity Model: /docs/concepts/identity-model
Member Lifecycle: /docs/concepts/member-lifecycle
Customer API request and response contract: /docs/quickstart/customer-api