Quickstart

This guide walks through implementing Login with Railway for a web application using the authorization code flow. By the end, you'll have working code that authenticates users and makes API requests on their behalf.

1. Create an OAuth app

Navigate to your workspace settings → Developer → New OAuth App, and enter the app name and one or more redirect URIs. The redirect URIs you configure must exactly match what your application sends in authorization requests.

For native apps, use http://127.0.0.1:3000/callback (not localhost), or a custom URL scheme like myapp://callback.

After creating the app, copy the client ID and client secret. The secret is only shown once.

2. Redirect to authorization

When a user wants to sign in, redirect their browser to the authorization endpoint:

response_type: Must be code
client_id: Your OAuth app's client ID
redirect_uri: Must exactly match a registered URI
scope: Space-separated permissions; openid is required
state: Random string for CSRF protection; verify it matches when redirected back

For additional security, add PKCE parameters. While optional for web apps, PKCE is mandatory for native apps. See Creating an App for details.

3. Exchange Code for tokens

After the user approves, they are redirected to your redirect_uri with a code parameter. Exchange it for tokens using Basic authentication:

Response:

The access_token authenticates API requests and expires in one hour. The id_token is a signed JWT to verify the user's identity.

4. Get user info

Retrieve the authenticated user's profile:

The sub claim is the user's ID. You can use this to associate the Railway account with a user in your application.

5. Make API requests

Use the access token with the Public API:

Next steps

Login & Tokens: Token lifecycle and refresh tokens for long-lived access
Scopes & User Consent: Available scopes and permissions
Fetching Workspaces or Projects: Query resources users granted access to