Skip to main content

Overview

Spur uses Supabase Auth as its authentication provider, which enables secure OAuth 2.0-based SSO. Users can sign in to Spur using their existing Google Workspace credentials — no separate Spur password required.

How SSO Works in Spur

Spur’s SSO uses the OAuth 2.0 / OpenID Connect (OIDC) protocol — the modern industry standard for federated authentication. Here’s the flow when a user signs in:
1

Initiate sign-in

The user clicks Sign in with Google on the Spur login page.
2

Redirect to Google

Spur redirects to Google’s authentication endpoint.
3

Authenticate

The user authenticates with their Google credentials (and MFA, if configured by your organization).
4

Token exchange

Google returns a secure token to Spur confirming the user’s identity.
5

Session created

Spur creates or resumes the user’s session. No Spur-specific password is ever set or stored.

What Spur Supports

ItemDetails
ProtocolOAuth 2.0 / OpenID Connect (OIDC)
Identity ProviderGoogle Workspace
Account typesGoogle Workspace accounts (organizational). Personal Gmail accounts are not supported — this is enforced by configuring the OAuth app’s user type to Internal in the Google Cloud Console.
User provisioningJust-in-time — a Spur account is automatically created on first successful SSO login
MFA enforcementHonored — if your Google Workspace requires MFA, it will be enforced before Spur grants access
Scopes requestedopenid, email, profile (read-only identity data only)

Current Limitations

The following are not supported at this time. If any of these are requirements for your organization, please reach out to discuss your use case.
  • SAML 2.0 — Spur uses OAuth 2.0/OIDC only, not SAML.

What Your Organization Needs to Do

For most organizations, no setup is required. Users can sign in with their Google Workspace account immediately.

If Your Organization Restricts Third-Party App Access

Some organizations configure Google Workspace to restrict which third-party apps users can sign into. If this applies to your organization, a Google Workspace admin will need to:
1

Open the Admin Console

Navigate to the Google Admin ConsoleSecurityAccess and data controlAPI controls.
2

Manage Third-Party App Access

Click Manage Third-Party App Access and find or add the Spur application.
3

Grant access

Set the app to Limited so that users in your organization can sign in without individual approval. This allows the app to request access to unrestricted Google data only, which is sufficient for SSO.
This is a one-time action that unblocks all users in your organization without each person needing to consent individually.

Restricting Access to Specific Users or Groups

If you want to limit which employees in your organization can access Spur via SSO, a Google Workspace admin can:
  1. In the Google Admin Console, navigate to the Spur app under API controls.
  2. Restrict the app to specific organizational units (OUs) or groups.
Without this configuration, any user in your Google Workspace organization can sign into Spur.

Data & Security

Spur requests the minimum necessary permissions to authenticate your users. Spur does not request access to Gmail, Google Drive, Calendar, or any other Google Workspace data.

Scopes Spur Requests from Google

  • openid — Required to use OpenID Connect for authentication
  • email — The user’s email address, used as their Spur account identifier
  • profile — Basic profile info (name), used to populate the user’s Spur profile

Questions?

If you have questions about SSO configuration, compliance requirements, or want to discuss your organization’s specific setup, please contact your Spur account representative.

Contact Us

Reach out to the Spur team for SSO support.