Authentication in Oxy For operators. Authentication is configured by the person who deploys and administers the Oxy server. End users sign in through the web UI — they do not need to read this section.
Oxy supports several authentication methods that can be enabled individually or combined. All methods are configured entirely through environment variables — no config files required.
Available Methods
Magic Link Passwordless email sign-in via one-time links delivered through Amazon SES.
No passwords to manage.
Google OAuth Social login with Google accounts. One-click sign-in for users.
Okta OAuth Enterprise SSO integration with Okta Identity Cloud.
API Keys Programmatic access for automation and integrations.
Quick Configuration # Magic link (passwordless email) export MAGIC_LINK_FROM_EMAIL = noreply @ yourcompany . com export AWS_REGION = us-east-1 # Google OAuth export GOOGLE_CLIENT_ID = your_client_id . apps . googleusercontent . com export GOOGLE_CLIENT_SECRET = your_client_secret # Okta OAuth export OKTA_CLIENT_ID = your_okta_client_id export OKTA_CLIENT_SECRET = your_okta_client_secret export OKTA_DOMAIN = your-domain . okta . com oxy serve
Comparison Method Setup Best For Magic Link 🟡 Medium (AWS SES) Passwordless access, all team sizes Google OAuth 🟡 Medium Social login, zero password management Okta OAuth 🟡 Medium Enterprise SSO, existing Okta deployments
Multiple Methods You can enable multiple methods simultaneously. Users will see all available sign-in options and choose their preferred one.
Local Development (No Cloud Required) For local development without any cloud accounts, use magic link’s browser mode:
export MAGIC_LINK_LOCAL_TEST = 1 oxy serve
Sign-in emails open directly in your browser instead of being sent via SES.
See the Magic Link guide for details. 
