Before “Sign in with Google” works, you need to register the app in Google Cloud Console and set three environment variables. The error 400: invalid_request -- Missing required parameter: redirect_uri means the app reached Google without a valid GOOGLE_CLIENT_ID or GOOGLE_REDIRECT_URI configured.
Step 1: Create a Google Cloud Project
Go to console.cloud.google.com.
If you don’t have a project yet:
- Click the project dropdown at the top → New Project
-
Name it (e.g.
WorkingAgents) → Create
Step 2: Enable the Google Identity API
In the left menu: APIs & Services → Library
Search for “Google Identity” or “People API” → click it → Enable
You also need the OAuth consent screen configured before you can create credentials.
Step 3: Configure the OAuth Consent Screen
APIs & Services → OAuth consent screen
- User type: External (unless you have a Google Workspace org – then choose Internal)
- App name: WorkingAgents
- User support email: your email
- Developer contact email: your email
-
Scopes: click Add or Remove Scopes → add:
-
.../auth/userinfo.email -
.../auth/userinfo.profile -
openid
-
- Save and continue through the remaining steps
If User Type is External and the app is not published, only test users can sign in. Add your email under Test users to test before publishing.
Step 4: Create OAuth 2.0 Credentials
APIs & Services → Credentials → Create Credentials → OAuth 2.0 Client ID
- Application type: Web application
- Name: WorkingAgents (or any label)
- Authorized redirect URIs: add your callback URL:
https://your-domain.com/auth/google/callbackFor local development:
https://localhost:8443/auth/google/callbackClick Create. Google shows you the Client ID and Client Secret – copy both now. The secret is only shown once (you can regenerate it later).
Step 5: Set Environment Variables
On your server, add three env vars:
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...
GOOGLE_REDIRECT_URI=https://your-domain.com/auth/google/callback
The GOOGLE_REDIRECT_URI must match exactly what you registered in step 4 – same scheme, domain, port, and path. A mismatch is the most common cause of redirect_uri_mismatch errors.
Restart the server after setting the vars.
Step 6: Test
Navigate to your login page. Click Sign in with Google. You should be redirected to Google’s consent screen.
If you see a warning “Google hasn’t verified this app” – that’s expected while the app is in test mode. Click Continue.
Common Errors
| Error | Cause | Fix |
|---|---|---|
Missing required parameter: redirect_uri |
GOOGLE_CLIENT_ID or GOOGLE_REDIRECT_URI not set |
Set env vars, restart server |
redirect_uri_mismatch |
Redirect URI in env var doesn’t match what’s registered in Google Console | Make them identical |
access_denied |
User clicked Cancel, or test user not added | Add email to test users in consent screen |
invalid_client |
Wrong GOOGLE_CLIENT_SECRET |
Regenerate secret in Google Console |
Publishing the App
While in test mode, only users listed under Test users can sign in. To open it to everyone:
OAuth consent screen → Publish App
Google may ask for verification if the app requests sensitive scopes. The three scopes used here (openid, email, profile) are non-sensitive and do not require verification.