Open Viewer
GuideCanvasAgents & MCPAPI Reference
Guide

Enable auth

Gate the site and the MCP with Auth.js v5 + Google SSO — optional, off by default, self-disabling without config.

superlore ships pluggable, optional auth — Auth.js v5 with Google SSO out of the box. It is off by default: with no AUTH_GOOGLE_ID set, every request passes through, so local dev and fully public deploys need no configuration at all. Turn it on with environment variables — no code change to flip it.

The MCP inherits the site's policy

Auth is enforced in proxy.ts (Next.js 16's middleware), which sits in front of every route — including /api/mcp. So gating the site automatically gates the agent surface; the two can never drift out of sync.

Environment variables

Auth env
VariableRequiredPurpose
AUTH_GOOGLE_IDto enableGoogle OAuth client id — its presence turns auth ON
AUTH_GOOGLE_SECRETto enableGoogle OAuth client secret
AUTH_SECRETyesSecret used to encrypt the session (JWT)
AUTH_URLyesThe deploy's canonical URL
AUTH_TRUST_HOSTyesSet to true behind a proxy / on Vercel
AUTH_ALLOWED_DOMAINnoWorkspace domain allowed to sign in, e.g. example.com
AUTH_ALLOWED_EMAILSnoComma-separated email allowlist that bypasses the domain check
LOCALnoSet to true to force auth OFF locally even when configured

With no AUTH_ALLOWED_DOMAIN, any Google account can sign in. Set it to your workspace domain to restrict sign-in to that org; AUTH_ALLOWED_EMAILS lets specific addresses in regardless.

Wire it up

Build the auth instance

createSuperloreAuth returns the Auth.js v5 handlers. Domain / email allowlists can come from env or be passed explicitly:

// auth.ts
import { createSuperloreAuth } from "superlore/auth";

export const { handlers, auth, signIn, signOut } = createSuperloreAuth({
  allowedDomain: process.env.AUTH_ALLOWED_DOMAIN, // optional
  // allowedEmails: ["you@example.com"],          // optional
});

Expose the Auth.js route

// app/api/auth/[...nextauth]/route.ts
import { handlers } from "@/auth";
export const { GET, POST } = handlers;

Gate every route with proxy.ts

createAuthProxy builds the Next 16 proxy.ts default export. It is self-disabling — with no AUTH_GOOGLE_ID (or LOCAL=true) it passes everything through:

// proxy.ts
import { auth } from "@/auth";
import { createAuthProxy } from "superlore/auth";

export default createAuthProxy(auth);

export const config = {
  // Run on everything except static assets (the helper also skips the auth dance + icons).
  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
};

This is Next.js 16

Middleware is proxy.ts (not middleware.ts), and request APIs like cookies() / headers() are async. superlore's helpers are written for 16 — don't port a 15-era snippet.

How the gate behaves

Off by default
No AUTH_GOOGLE_ID → createAuthProxy passes every request through. Public deploys need nothing.
Redirect to sign-in
An unauthenticated request to a gated path is redirected to /auth/signin with a callbackUrl.
Domain + email allowlists
Restrict to a workspace domain, or allow specific emails through, all via env.
MCP inherits it
Because the gate is in proxy.ts, /api/mcp is protected by the same policy as the site.

Public on purpose

This docs deploy ships no AUTH_GOOGLE_ID, so it's open — anyone can read it and connect an agent to the MCP. Your own KB can stay public, gate just the MCP, or gate everything, with the same code and a few env vars.

Frontmatter

The typed frontmatter contract every superlore page carries — title, icon, description, summary, tags — and what each field powers.

Add it to an existing app

Wire superlore into an app you already have — install the package, import the theme, register the components, define the content source, and mount the MCP. Every import comes from superlore.

On this page

Environment variables
Wire it up
How the gate behaves
Built withsuperlore