📚 [Docs] Incomplete Expo idToken Guide - Missing Implementation Details for Google/Apple OAuth #2815

New Issue

GiteaMirror · 2026-03-13T10:21:53-05:00

GiteaMirror commented

2026-03-13 10:21:53 -05:00

Originally created by @issam-seghir on GitHub (Feb 3, 2026).

Originally assigned to: @bytaesu on GitHub.

📝 Documentation Issue

Affected Page

https://www.better-auth.com/docs/integrations/expo

Problem Description

The Expo integration documentation shows how to use the idToken parameter but doesn't explain how to obtain it, especially for Google and Apple OAuth. This leaves developers confused about:

How to get the idToken from Google/Apple in Expo
Which Google Console OAuth type to use (Web vs Android vs iOS)
What additional Expo packages are needed (if any)
When to use standard flow vs idToken flow

Current Documentation

The docs show this example:

await authClient.signIn.social({
    provider: "google",
    idToken: {
        token: "...", // ID token from provider ❓ How do we get this?
        nonce: "...", // nonce from provider (optional) ❓ Where does this come from?
    },
    callbackURL: "/dashboard"
});

But there's no guidance on:

✅ How to obtain the idToken using Expo tools
✅ Whether to use expo-auth-session, expo-google-sign-in, or native modules
✅ Google Console configuration (which OAuth client type?)
✅ iOS/Android-specific setup differences

Expected Documentation

1. Add Clear Comparison Section

## Standard vs IdToken Sign-In

### Standard Flow (Current Default - Recommended for Most)
- Opens browser using `expo-web-browser`
- Better-auth handles OAuth flow entirely
- Simpler setup
- Works with Web OAuth Client ID

### IdToken Flow (Advanced - Native Feel)
- Uses native Google/Apple sign-in sheets
- Requires obtaining idToken manually
- More setup but better UX
- Requires platform-specific OAuth Client IDs

2. Add Complete IdToken Implementation Guide

## Getting IdToken with Expo

### Option 1: Google Sign-In with expo-auth-session

```bash
npx expo install expo-auth-session expo-crypto expo-web-browser

import * as Google from 'expo-auth-session/providers/google';
import * as Crypto from 'expo-crypto';

// Configure Google Auth
const [request, response, promptAsync] = Google.useIdTokenAuthRequest({
  clientId: 'YOUR_WEB_CLIENT_ID.apps.googleusercontent.com',
  iosClientId: 'YOUR_IOS_CLIENT_ID.apps.googleusercontent.com',
  androidClientId: 'YOUR_ANDROID_CLIENT_ID.apps.googleusercontent.com',
});

// Handle sign-in
const handleGoogleSignIn = async () => {
  const result = await promptAsync();
  
  if (result.type === 'success' && result.params.id_token) {
    // Send idToken to better-auth
    await authClient.signIn.social({
      provider: "google",
      idToken: { token: result.params.id_token },
      callbackURL: "/dashboard"
    });
  }
};

npx expo install expo-apple-authentication expo-crypto

import * as AppleAuthentication from 'expo-apple-authentication';
import * as Crypto from 'expo-crypto';

const handleAppleSignIn = async () => {
  const nonce = await Crypto.digestStringAsync(
    Crypto.CryptoDigestAlgorithm.SHA256,
    Math.random().toString()
  );
  
  const credential = await AppleAuthentication.signInAsync({
    requestedScopes: [
      AppleAuthentication.AppleAuthenticationScope.EMAIL,
      AppleAuthentication.AppleAuthenticationScope.FULL_NAME,
    ],
  });
  
  if (credential.identityToken) {
    await authClient.signIn.social({
      provider: "apple",
      idToken: { 
        token: credential.identityToken,
        nonce: nonce // Apple requires nonce
      },
      callbackURL: "/dashboard"
    });
  }
};

3. Add Google Console Configuration Guide

## Google Cloud Console Setup for IdToken Flow

### For Web Client (Standard Flow - Current Default)
1. Create **OAuth 2.0 Web Application**
2. Add redirect URI: `https://yourdomain.com/api/auth/callback/google`
3. Use this Client ID in better-auth server config

### For Native IdToken Flow (Advanced)
1. Create **OAuth 2.0 Android Application** 
   - Package name: `com.yourcompany.yourapp`
   - SHA-1 fingerprint: Get from `keytool -list -v -keystore ~/.android/debug.keystore`
2. Create **OAuth 2.0 iOS Application**
   - Bundle ID: `com.yourcompany.yourapp`
3. Use these Client IDs in `expo-auth-session` config
4. Server still uses **Web Client** credentials

When to Use Each Approach?

Criteria	Standard Flow	IdToken Flow
Ease of Setup	✅ Simple	⚠️ Complex
UX	Browser popup	Native sheet
Performance	Slower	Faster
Recommended For	MVP, Testing	Production, iOS
Apple App Store	May need review	✅ Required


### Impact

This documentation gap causes:
- ❌ Developers thinking they need third-party packages (like `@react-native-google-signin/google-signin`)
- ❌ Confusion about Google Console OAuth client types
- ❌ Uncertainty about when to use idToken vs standard flow
- ❌ Unnecessary complexity in implementation

### Related Issues
- #7025 - Google Sign-In stuck at consent screen (Expo + Express)
- #7049 - Apple sign-in hangs in production builds
- #5034 - State mismatch error with Google OAuth on Expo

### Suggested Fix

Add a new section to the Expo docs:
1. **"Choosing the Right Approach"** - Comparison table
2. **"Standard Flow (Recommended)"** - Current browser-based approach (emphasize this is simpler)
3. **"IdToken Flow (Advanced)"** - Complete implementation guide with `expo-auth-session`
4. **"Google Console Configuration"** - Detailed OAuth client type guide
5. **"Troubleshooting"** - Common issues and solutions

### Additional Context

Many developers (including myself) see the idToken example and assume it's the "proper" way to do OAuth in Expo, when the standard browser-based flow is actually simpler and works perfectly for most use cases. Clarifying this would save hours of confusion.

---

**Would be happy to contribute a PR for this if the maintainers agree with the approach!** 🙌

Originally created by @issam-seghir on GitHub (Feb 3, 2026). Originally assigned to: @bytaesu on GitHub. ## 📝 Documentation Issue ### Affected Page https://www.better-auth.com/docs/integrations/expo ### Problem Description The Expo integration documentation shows **how to use** the `idToken` parameter but doesn't explain **how to obtain** it, especially for Google and Apple OAuth. This leaves developers confused about: 1. **How to get the idToken** from Google/Apple in Expo 2. **Which Google Console OAuth type** to use (Web vs Android vs iOS) 3. **What additional Expo packages** are needed (if any) 4. **When to use standard flow vs idToken flow** ### Current Documentation The docs show this example: ```typescript await authClient.signIn.social({ provider: "google", idToken: { token: "...", // ID token from provider ❓ How do we get this? nonce: "...", // nonce from provider (optional) ❓ Where does this come from? }, callbackURL: "/dashboard" }); ``` But there's no guidance on: - ✅ How to obtain the `idToken` using Expo tools - ✅ Whether to use `expo-auth-session`, `expo-google-sign-in`, or native modules - ✅ Google Console configuration (which OAuth client type?) - ✅ iOS/Android-specific setup differences ### Expected Documentation #### 1. Add Clear Comparison Section ```markdown ## Standard vs IdToken Sign-In ### Standard Flow (Current Default - Recommended for Most) - Opens browser using `expo-web-browser` - Better-auth handles OAuth flow entirely - Simpler setup - Works with Web OAuth Client ID ### IdToken Flow (Advanced - Native Feel) - Uses native Google/Apple sign-in sheets - Requires obtaining idToken manually - More setup but better UX - Requires platform-specific OAuth Client IDs ``` #### 2. Add Complete IdToken Implementation Guide ```markdown ## Getting IdToken with Expo ### Option 1: Google Sign-In with expo-auth-session ```bash npx expo install expo-auth-session expo-crypto expo-web-browser ``` ```typescript import * as Google from 'expo-auth-session/providers/google'; import * as Crypto from 'expo-crypto'; // Configure Google Auth const [request, response, promptAsync] = Google.useIdTokenAuthRequest({ clientId: 'YOUR_WEB_CLIENT_ID.apps.googleusercontent.com', iosClientId: 'YOUR_IOS_CLIENT_ID.apps.googleusercontent.com', androidClientId: 'YOUR_ANDROID_CLIENT_ID.apps.googleusercontent.com', }); // Handle sign-in const handleGoogleSignIn = async () => { const result = await promptAsync(); if (result.type === 'success' && result.params.id_token) { // Send idToken to better-auth await authClient.signIn.social({ provider: "google", idToken: { token: result.params.id_token }, callbackURL: "/dashboard" }); } }; ``` ### Option 2: Apple Sign-In with expo-apple-authentication ```bash npx expo install expo-apple-authentication expo-crypto ``` ```typescript import * as AppleAuthentication from 'expo-apple-authentication'; import * as Crypto from 'expo-crypto'; const handleAppleSignIn = async () => { const nonce = await Crypto.digestStringAsync( Crypto.CryptoDigestAlgorithm.SHA256, Math.random().toString() ); const credential = await AppleAuthentication.signInAsync({ requestedScopes: [ AppleAuthentication.AppleAuthenticationScope.EMAIL, AppleAuthentication.AppleAuthenticationScope.FULL_NAME, ], }); if (credential.identityToken) { await authClient.signIn.social({ provider: "apple", idToken: { token: credential.identityToken, nonce: nonce // Apple requires nonce }, callbackURL: "/dashboard" }); } }; ``` #### 3. Add Google Console Configuration Guide ```markdown ## Google Cloud Console Setup for IdToken Flow ### For Web Client (Standard Flow - Current Default) 1. Create **OAuth 2.0 Web Application** 2. Add redirect URI: `https://yourdomain.com/api/auth/callback/google` 3. Use this Client ID in better-auth server config ### For Native IdToken Flow (Advanced) 1. Create **OAuth 2.0 Android Application** - Package name: `com.yourcompany.yourapp` - SHA-1 fingerprint: Get from `keytool -list -v -keystore ~/.android/debug.keystore` 2. Create **OAuth 2.0 iOS Application** - Bundle ID: `com.yourcompany.yourapp` 3. Use these Client IDs in `expo-auth-session` config 4. Server still uses **Web Client** credentials ``` ### When to Use Each Approach? | Criteria | Standard Flow | IdToken Flow | |----------|--------------|--------------| | **Ease of Setup** | ✅ Simple | ⚠️ Complex | | **UX** | Browser popup | Native sheet | | **Performance** | Slower | Faster | | **Recommended For** | MVP, Testing | Production, iOS | | **Apple App Store** | May need review | ✅ Required | ``` ### Impact This documentation gap causes: - ❌ Developers thinking they need third-party packages (like `@react-native-google-signin/google-signin`) - ❌ Confusion about Google Console OAuth client types - ❌ Uncertainty about when to use idToken vs standard flow - ❌ Unnecessary complexity in implementation ### Related Issues - #7025 - Google Sign-In stuck at consent screen (Expo + Express) - #7049 - Apple sign-in hangs in production builds - #5034 - State mismatch error with Google OAuth on Expo ### Suggested Fix Add a new section to the Expo docs: 1. **"Choosing the Right Approach"** - Comparison table 2. **"Standard Flow (Recommended)"** - Current browser-based approach (emphasize this is simpler) 3. **"IdToken Flow (Advanced)"** - Complete implementation guide with `expo-auth-session` 4. **"Google Console Configuration"** - Detailed OAuth client type guide 5. **"Troubleshooting"** - Common issues and solutions ### Additional Context Many developers (including myself) see the idToken example and assume it's the "proper" way to do OAuth in Expo, when the standard browser-based flow is actually simpler and works perfectly for most use cases. Clarifying this would save hours of confusion. --- **Would be happy to contribute a PR for this if the maintainers agree with the approach!** 🙌

GiteaMirror added the documentation label 2026-03-13 10:21:53 -05:00

GiteaMirror closed this issue

2026-03-13 10:21:53 -05:00

GiteaMirror commented

2026-03-13 10:21:54 -05:00

@better-auth-agent[bot] commented on GitHub (Feb 3, 2026):

Thank you for sharing that detailed issue regarding the incomplete Expo idToken guide! Currently, it seems that there is no stipulation in the existing documentation on how to obtain the idToken for Google and Apple OAuth within an Expo environment. Therefore, developers may face confusion regarding the necessary Expo packages, Google Console OAuth types, and when to use different flows.

To address this, your suggestions for enhancing documentation are valuable:

Providing clear examples on obtaining the idToken, including configurations for both Google and Apple.
Clarifying which OAuth client types to use in the Google Console.
Including troubleshooting steps and a comparison table to guide developers between standard flow and idToken flow.

It sounds like an excellent enhancement to the documentation! If you wish, I would recommend creating a PR to propose these changes for a clearer and improved experience for developers using Expo with Better Auth.

Feel free to tag @better-auth-agent if you’d like further insights or assistance regarding this matter! Do you have additional aspects you want to propose for the documentation?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Feb 3, 2026): Thank you for sharing that detailed issue regarding the incomplete Expo idToken guide! Currently, it seems that there is no stipulation in the existing documentation on how to obtain the `idToken` for Google and Apple OAuth within an Expo environment. Therefore, developers may face confusion regarding the necessary Expo packages, Google Console OAuth types, and when to use different flows. To address this, your suggestions for enhancing documentation are valuable: 1. Providing clear examples on obtaining the `idToken`, including configurations for both Google and Apple. 2. Clarifying which OAuth client types to use in the Google Console. 3. Including troubleshooting steps and a comparison table to guide developers between standard flow and idToken flow. It sounds like an excellent enhancement to the documentation! If you wish, I would recommend creating a PR to propose these changes for a clearer and improved experience for developers using Expo with Better Auth. Feel free to tag @better-auth-agent if you’d like further insights or assistance regarding this matter! Do you have additional aspects you want to propose for the documentation? _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-03-13 10:21:54 -05:00

@bytaesu commented on GitHub (Feb 4, 2026):

Thanks @issam-seghir, let me check.
I've set up the Expo app and I am testing it.

@bytaesu commented on GitHub (Feb 4, 2026): Thanks @issam-seghir, let me check. I've set up the Expo app and I am testing it.

GiteaMirror commented

2026-03-13 10:21:54 -05:00

@bytaesu commented on GitHub (Feb 4, 2026):

@issam-seghir, Is there anything else I should look into to make the Expo plugin more solid?

@bytaesu commented on GitHub (Feb 4, 2026): @issam-seghir, Is there anything else I should look into to make the Expo plugin more solid?

GiteaMirror commented

2026-03-13 10:21:55 -05:00

@bytaesu commented on GitHub (Feb 7, 2026):

Hi @issam-seghir,

I’ve updated the docs.

Also, according to the official Expo docs, expo-auth-session/providers/google has been deprecated.

@bytaesu commented on GitHub (Feb 7, 2026): Hi @issam-seghir, I’ve updated the docs. Also, according to the official Expo docs, `expo-auth-session/providers/google` has been deprecated.

GiteaMirror referenced this issue

2026-03-13 11:49:13 -05:00

[PR #2815] [MERGED] nit(docs): add callback URL property to sign up method #4500

GiteaMirror referenced this issue

2026-04-13 08:34:17 -05:00

[PR #2815] [MERGED] nit(docs): add callback URL property to sign up method #12747

GiteaMirror referenced this issue

2026-04-15 20:20:54 -05:00

[PR #2815] [MERGED] nit(docs): add callback URL property to sign up method #21401

GiteaMirror referenced this issue

2026-04-17 21:17:33 -05:00

[PR #2815] [MERGED] nit(docs): add callback URL property to sign up method #30101

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#2815