Labsco
vercel-labs logo

oauth

10,000

by vercel · part of vercel-labs/portless

Configure OAuth providers (Google, Apple, Microsoft, Facebook, GitHub, etc.) to work with portless local dev URLs. Use when setting up OAuth redirect URIs,…

🔥🔥🔥✓ VerifiedFreeAdvanced setup
🧰 Not standalone. This skill ships with vercel-labs/portless and only works together with that tool — install the tool first, then add this skill.

Configure OAuth providers (Google, Apple, Microsoft, Facebook, GitHub, etc.) to work with portless local dev URLs. Use when setting up OAuth redirect URIs,…

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by vercel

Configure OAuth providers (Google, Apple, Microsoft, Facebook, GitHub, etc.) to work with portless local dev URLs. Use when setting up OAuth redirect URIs,… npx skills add https://github.com/vercel-labs/portless --skill oauth Download ZIPGitHub10k

OAuth with Portless

OAuth providers validate redirect URIs against domain rules. .localhost subdomains fail on most providers because they are not in the Public Suffix List or are explicitly blocked. Portless fixes this with --tld to serve apps on real, valid domains.

The Problem

When portless uses the default .localhost TLD, OAuth providers reject redirect URIs like http://myapp.localhost:1355/callback:

Provider localhost .localhost subdomains Reason Google Allowed Rejected Not in their bundled PSL Apple Rejected Rejected No localhost at all Microsoft Allowed Allowed Permissive localhost handling Facebook Allowed Varies Must register each URI exactly GitHub Allowed Allowed Permissive

Google and Apple are the strictest. Microsoft and GitHub are more lenient with localhost.

The Fix

Use a valid TLD so the redirect URI passes provider validation:

Copy & paste — that's it
portless proxy start --tld dev
portless myapp next dev
# -> https://myapp.dev

Any TLD in the Public Suffix List works: .dev, .app, .com, .io, etc.

Use a domain you own

Bare TLDs like .dev mean myapp.dev could collide with a real domain. Use a subdomain of a domain you control:

Copy & paste — that's it
portless proxy start --tld dev
portless myapp.local.yourcompany next dev
# -> https://myapp.local.yourcompany.dev

This ensures no outbound traffic reaches something you don't own. For teams, set a wildcard DNS record (*.local.yourcompany.dev -> 127.0.0.1) so every developer gets resolution without /etc/hosts.

Example

See examples/google-oauth for a complete working example with Next.js + NextAuth + Google OAuth using --tld dev.