Vestibule OAuth2 for Gleam
Links
Search Hex GitHub
Docs menu: Overview

Strategy-based OAuth2 authentication for Gleam

OAuth sign-in for Gleam apps, without the guesswork.

Vestibule gives Gleam applications a consistent request/callback flow, normalized auth results, PKCE, CSRF state, provider strategies, and Wisp or Mist middleware without hiding the security responsibilities your app still owns.

Add sign-in Compare packages
  1. Request URL, state, PKCE verifier
  2. Store Bind transient callback data
  3. Callback Validate and normalize user info

Start with the integration shape.

Use core APIs when you want direct control, Wisp or Mist middleware when you want routing helpers, GitHub in core, and provider packages when your app needs Google, Microsoft, or Apple. 

let assert Ok(auth_request) = vestibule.create_authorization_request(strategy, cfg)
// Store auth_request.state and auth_request.code_verifier.
// Redirect to auth_request.url.

let assert Ok(auth) =
  vestibule.handle_callback(
    strategy,
    cfg,
    params,
    expected_state,
    code_verifier,
  )

Supported providers

Start with GitHub from core, then add Google, Microsoft, or Apple when your app needs those provider-specific flows.

GitHub vestibule Built into the core package. Google vestibule_google OpenID Connect, email, profile, and hosted-domain helpers. Microsoft vestibule_microsoft Microsoft Graph /me plus tenant-specific sign-in helpers. Apple vestibule_apple Sign in with Apple, JWKS-backed ID token verification, and form_post.

Packages by job

Pick the package by the responsibility it should own in your app.

vestibule Core package Core types, two-phase OAuth2 flow, PKCE, CSRF state, token refresh, OIDC discovery, and shared state store. vestibule_wisp Wisp middleware Wisp request/callback routing for Vestibule, including signed session cookie handling and one-time ETS state storage. vestibule_mist Mist middleware Plain Mist request/callback routing with HMAC-SHA256 signed session cookies and the shared Vestibule state store.

Secure defaults, explicit boundaries.

Vestibule creates strong state tokens, applies PKCE, validates callback state before surfacing provider details, and verifies the provider-specific data it owns. Your application still stores transient callback data, protects bearer credentials, and decides how users map to accounts.

Review caller responsibilities