Skip to main content

Step 1 | Get started with SSO

SSO lets your team sign in to your Base44 app using an existing authentication provider, such as Google, Microsoft, GitHub, or Okta. Start by finding your Base44 app ID and redirect URI. You will use this redirect URI when you set up any SSO provider in Base44.
Single sign-on (SSO) is available for Base44 apps on the Elite plan or higher.
To find your Base44 app ID and redirect URI:
  1. Go to your app editor in Base44.
  2. Check your browser’s address bar and find the app ID between /apps/ and /editor/ in the URL.
  3. Build your redirect URI by replacing {{APP_ID}} in this format with your app ID: 
    https://app.base44.com/api/apps/{{APP_ID}}/auth/sso/callback
With the app editor open, the URL might look like this:
https://app.base44.com/apps/686404784ac37377589a1f7f/editor/...
Here, 686404784ac37377589a1f7f is the app ID. Plug that into the format:
https://app.base44.com/api/apps/686404784ac37377589a1f7f/auth/sso/callback
This is the redirect URI you’ll enter with your SSO provider.

Step 2 | Choose your provider

Start by choosing the identity provider your team already uses. You can pick a built-in option (Google, Microsoft, GitHub, or Okta), or use Advanced / Manual configuration to connect any OIDC provider.

Google Workspace

Allow sign-in with Google Workspace accounts.

Microsoft 365 / Entra ID

Allow sign-in with Microsoft 365 or Entra ID.

GitHub

Allow sign-in with GitHub accounts.

Okta

Allow sign-in with your Okta directory.

Advanced / Manual configuration

Connect any OIDC-compatible provider using custom endpoints.

Google Workspace

Use Google Workspace as your SSO provider with an OAuth 2.0 Web application. First, create an OAuth 2.0 client in Google Cloud Console for your project, then add those credentials in Base44.
Before you set up SSO, you’ll need:
  • A client ID and client secret from Google Cloud
  • Your app’s redirect URI (see Step 1)
Check out Google’s credential setup guide
To set up Google Workspace SSO in Base44:
  1. In your app editor, click Dashboard.
  2. Click Settings.
  3. Click Authentication.
  4. Click Set Up next to Single sign-on (SSO).
  5. In Select SSO provider, and choose Google Workspace.
  6. Enter your Client Id and Client Secret from Google.
  7. Keep Scope as openid email profile.
  8. Leave Discovery Url set to the default value.
  9. Click Enable SSO.
Base44 Single sign-on settings configured with Google Workspace as the SSO provider

Microsoft

Use Microsoft Entra ID (Azure AD) as your SSO provider through your Azure portal.
Before you set up SSO, you’ll need:
  • Application (client) ID, directory (tenant) ID, and client secret from Azure
  • Your app’s redirect URI (see Step 1)
  • Scopes including openid, email, profile, and User.Read
Check out Microsoft identity platform registration
To set up Microsoft SSO in Base44:
  1. In your app editor, click Dashboard.
  2. Click Settings.
  3. Click Authentication.
  4. Click Set Up next to Single sign-on (SSO).
  5. In Select SSO provider, choose Microsoft Azure AD.
  6. Enter your Azure Application (client) ID, Client Secret, and Directory (tenant) ID.
  7. Keep Scope as openid email profile.
  8. For Discovery Url, enter: 
    https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration
    Replace {TENANT_ID} with your directory (tenant) ID from the Azure portal.
  9. Click Enable SSO.
Base44 Single sign-on settings configured with Microsoft Azure AD as the SSO provider

GitHub

Use a GitHub OAuth app as your SSO provider. Create an OAuth app in GitHub Developer Settings, then connect it in Base44.
Before you set up SSO, you’ll need:
  • A GitHub OAuth app created in GitHub Developer Settings
  • The app’s authorization callback URL set to your redirect URI (see Step 1)
  • Client ID and client secret generated by GitHub for your OAuth app
Check out GitHub’s OAuth app guide
To set up GitHub SSO in Base44:
  1. In your app editor, click Dashboard.
  2. Click Settings.
  3. Click Authentication.
  4. Click Set Up next to Single sign-on (SSO).
  5. In Select SSO provider, choose GitHub.
  6. Enter your GitHub Client Id and Client Secret.
  7. Keep Scope as user:email.
  8. Keep the default Auth Endpoint, Token Endpoint, and Userinfo Endpoint values for GitHub.
  9. Click Enable SSO.
Base44 Single sign-on settings configured with GitHub as the SSO provider

Okta

Use Okta as your SSO provider. In your Okta Admin Console, create an OIDC Web application for your Base44 app, then add the credentials in Base44.
Before you set up SSO, you’ll need:
  • Okta client ID and client secret
  • Your Okta domain (e.g. your-company.okta.com)
  • Discovery URL from Okta issuer For example: https://your-company.okta.com/oauth2/default/.well-known/openid-configuration
  • Scopes including openid email profile
Check out Okta’s SSO for Native apps guide
To set up Okta SSO in Base44:
  1. In your app editor, click Dashboard.
  2. Click Settings.
  3. Click Authentication.
  4. Click Set Up next to Single sign-on (SSO).
  5. In Select SSO provider, choose Okta.
  6. Enter the following:
    • Client Id: Your Okta client ID.
    • Client Secret: Your Okta client secret.
    • Okta Domain: Your Okta domain (e.g.your-company.okta.com).
    • Scope: Keep openid email profile.
    • Discovery Url: Your Okta discovery URL.
  7. Click Enable SSO.
Base44 Single sign-on settings configured with Okta as the SSO provider

Advanced / Manual configuration

Use Advanced / Manual configuration to connect any OIDC-compatible identity provider that is not covered by the built-in options.
Before you set up SSO, you’ll need:
  • OIDC client credentials from your provider
  • Your app’s redirect URI (see Step 1)
  • Discovery URL or all OIDC endpoints from your provider
  • Required scopes (openid email profile or equivalent)
Check your provider’s documentation for details
To set up Advanced / Manual configuration in Base44:
  1. In your app editor, click Dashboard.
  2. Click Settings.
  3. Click Authentication.
  4. Click Set Up next to Single sign-on (SSO).
  5. In Select SSO provider, choose Advanced / Manual Configuration.
  6. Fill in the following fields using your provider’s values:
    • Name: A name for this SSO configuration (for example, Auth0, Keycloak, or your IdP name).
    • Client Id: Your OIDC client ID.
    • Client Secret: Your OIDC client secret.
    • Scope: Keep openid email profile.
    • Discovery Url: Your provider’s discovery URL, if available.
    • Auth Endpoint, Token Endpoint, Userinfo Endpoint, Jwks Uri: If you are not using a discovery URL, paste each endpoint from your provider’s documentation.
  7. Click Enable SSO.
Base44 Single sign-on settings panel configured with Advanced / Manual SSO

Step 3 | Test your SSO login

After setting up SSO, test that everything works as expected. To test your SSO login:
  1. Log out of your app if you are currently signed in.
  2. Go to your app’s login screen.
  3. Click Log in with SSO or select the provider you configured.
  4. Sign in using an email address from your approved domain.
You’ll be logged in automatically.

FAQs

Click a question to learn more about SSO.
No, SSO is optional. You can continue using your existing login method if it works for you. If you want your team to log in with Google, Microsoft, GitHub, or Okta, you can set up SSO and configure the provider you use.
A redirect URI tells your identity provider (like Google or Microsoft) where to send people after they log in. You enter it when you set up SSO in your provider’s dashboard. It should look like this:
https://app.base44.com/api/apps/{{APP_ID}}/auth/sso/callback
Make sure to replace {{APP_ID}} with your actual Base44 app ID.
A discovery URL tells Base44 how to connect to your identity provider. It helps Base44 automatically find the right endpoints and configuration values. You only need this for some providers.
  • For Google, you do not need to enter a discovery URL. Base44 handles it automatically.
  • For Microsoft (Azure / Entra ID) and Okta, your provider gives you a discovery URL. Copy it into the Discovery Url field in your Base44 SSO settings.
  • For GitHub, you can leave the discovery URL field blank.
If your provider gives you a discovery URL, paste it into the Discovery Url field in your Base44 SSO settings. If not, you can leave it empty.
Check the following:
  • Your redirect URI in Base44 exactly matches the one in your provider’s dashboard.
  • Your client ID, client secret, and, if used, Discovery Url are correct.
  • The scope is set as openid email profile in both your provider’s configuration and in Base44 (or an equivalent email scope).
If SSO fails after checking all fields, contact support with screenshots of your settings.
If Google still shows base44.com as the app name or badge, your custom Google project has not been fully approved yet. Once Google approves your project, your app’s own name or branding will appear instead of base44.com.
Finish setting up your custom SSO, publish your app, and submit your Google project for approval. After Google approves the project, your app name or branding will appear during sign-in instead of base44.com.
Many services support SSO or OAuth when working with enterprise or managed accounts, including: Langfuse, OpenAI, Anthropic, Mongo, Mixpanel, Mintlify, SendGrid, FeatureBase, Cloudflare, Logfire, GitHub, GCP, Render, AWS, Deno, Gong, Appspot, DocuSign, and Modal.