Tutorial: GitHub OAuth in Astro

Before starting, make sure you've set up your database and middleware as described in the Getting started page.

An example project based on this tutorial is also available. You can clone the example locally or open it in StackBlitz.

npx degit <directory_name>

Create an OAuth App

Create a GitHub OAuth app. Set the redirect URI to http://localhost:4321/login/github/callback. Copy and paste the client ID and secret to your .env file.

# .env

Update database

Add a github_id and username column to your user table.

column type attributes
github_id number unique
username string

Create a DatabaseUserAttributes interface in the module declaration and add your database columns. By default, Lucia will not expose any database columns to the User type. To add a githubId and username field to it, use the getUserAttributes() option.

import { Lucia } from "lucia";

export const lucia = new Lucia(adapter, {
	sessionCookie: {
		attributes: {
			secure: import.meta.env.PROD
	getUserAttributes: (attributes) => {
		return {
			// attributes has the type of DatabaseUserAttributes
			githubId: attributes.github_id,
			username: attributes.username

declare module "lucia" {
	interface Register {
		Lucia: typeof lucia;
		DatabaseUserAttributes: DatabaseUserAttributes;

interface DatabaseUserAttributes {
	github_id: number;
	username: string;

Setup Arctic

We recommend using Arctic for implementing OAuth. It is a lightweight library that provides APIs for creating authorization URLs, validating callbacks, and refreshing access tokens. This is the easiest way to implement OAuth with Lucia and it supports most major providers.

npm install arctic

Initialize the GitHub provider with the client ID and secret.

import { GitHub } from "arctic";

export const github = new GitHub(

Sign in page

Create pages/login/index.astro and add a basic sign in button, which should be a link to /login/github.

<!-- pages/login/index.astro -->
<html lang="en">
		<h1>Sign in</h1>
		<a href="/login/github">Sign in with GitHub</a>

Create authorization URL

Create an API route in pages/login/github/index.ts. Generate a new state, create a new authorization URL with createAuthorizationURL(), store the state, and redirect the user to the authorization URL. The user will be prompted to sign in with GitHub.

// pages/login/github/index.ts
import { generateState } from "arctic";
import { github } from "@lib/auth";

import type { APIContext } from "astro";

export async function GET(context: APIContext): Promise<Response> {
	const state = generateState();
	const url = await github.createAuthorizationURL(state);

	context.cookies.set("github_oauth_state", state, {
		path: "/",
		secure: import.meta.env.PROD,
		httpOnly: true,
		maxAge: 60 * 10,
		sameSite: "lax"

	return context.redirect(url.toString());

Validate callback

Create an API route in pages/login/github/callback.ts to handle the callback. First, get the state from the cookie and the search params and compare them. Validate the authorization code in the search params with validateAuthorizationCode(). This will throw an OAuth2RequestError if the code or credentials are invalid. After validating the code, get the user's profile using the access token. Check if the user is already registered with the GitHub ID, and create a new user if they aren't. Finally, create a new session and set the session cookie.

// pages/login/github/callback.ts
import { github, lucia } from "@lib/auth";
import { OAuth2RequestError } from "arctic";
import { generateId } from "lucia";

import type { APIContext } from "astro";

export async function GET(context: APIContext): Promise<Response> {
	const code = context.url.searchParams.get("code");
	const state = context.url.searchParams.get("state");
	const storedState = context.cookies.get("github_oauth_state")?.value ?? null;
	if (!code || !state || !storedState || state !== storedState) {
		return new Response(null, {
			status: 400

	try {
		const tokens = await github.validateAuthorizationCode(code);
		const githubUserResponse = await fetch("", {
			headers: {
				Authorization: `Bearer ${tokens.accessToken}`
		const githubUser: GitHubUser = await githubUserResponse.json();

		// Replace this with your own DB client.
		const existingUser = await db.table("user").where("github_id", "=",;

		if (existingUser) {
			const session = await lucia.createSession(, {});
			const sessionCookie = lucia.createSessionCookie(;
			context.cookies.set(, sessionCookie.value, sessionCookie.attributes);
			return context.redirect("/");

		const userId = generateId(15);

		// Replace this with your own DB client.
		await db.table("user").insert({
			id: userId,
			username: githubUser.login

		const session = await lucia.createSession(userId, {});
		const sessionCookie = lucia.createSessionCookie(;
		context.cookies.set(, sessionCookie.value, sessionCookie.attributes);
		return context.redirect("/");
	} catch (e) {
		// the specific error message depends on the provider
		if (e instanceof OAuth2RequestError) {
			// invalid code
			return new Response(null, {
				status: 400
		return new Response(null, {
			status: 500

interface GitHubUser {
	id: string;
	login: string;

Validate requests

You can validate requests by checking locals.user. The field user.username is available since we defined the getUserAttributes() option. You can protect pages, such as /, by redirecting unauthenticated users to the login page.

const user = Astro.locals.user;
if (!user) {
	return Astro.redirect("/login");

const username = user.username;

Sign out

Sign out users by invalidating their session with Lucia.invalidateSession(). Make sure to remove their session cookie by setting a blank session cookie created with Lucia.createBlankSessionCookie().

import { lucia } from "@lib/auth";
import type { APIContext } from "astro";

export async function POST(context: APIContext): Promise<Response> {
	if (!context.locals.session) {
		return new Response(null, {
			status: 401

	await lucia.invalidateSession(;

	const sessionCookie = lucia.createBlankSessionCookie();
	context.cookies.set(, sessionCookie.value, sessionCookie.attributes);

	return context.redirect("/login");
<form method="post" action="/api/logout">
	<button>Sign out</button>