Introduction
Shoo is a minimal auth broker for Google sign-in
What is Shoo?
Shoo handles Google OAuth + PKCE and gives your app a domain-scoped identity (pairwise_sub) and a signed id_token.
No client signup. No unnecessary scopes. Just identity.
Key ideas
- Zero configuration —
client_idis auto-derived from your redirect origin. No dashboard, no registration step. - PKCE on every flow — S256 code challenges prevent token interception, even in browser-only apps.
- Pairwise subject — each origin gets a unique, stable user identifier. Users can't be correlated across apps.
- ES256 signed tokens — verify with standard JWKS. No Shoo SDK needed on your server.
- Optional PII — request
email,name,pictureonly when you need them. Users see a consent screen.
Install
bun add @shoojs/reactOr use the hosted script with zero dependencies:
<script src="https://shoo.dev/shoo.js"></script>Packages
| Package | Description |
|---|---|
@shoojs/auth | Vanilla browser client (framework-agnostic) |
@shoojs/react | React hook + Convex adapter |
Next steps
- Getting Started (React) — add auth to a React app in under 5 minutes
- Getting Started (Vanilla JS) — a single script tag, no bundler
- Server Verification — always verify tokens server-side
- How It Works — understand the PKCE flow and pairwise subjects
- Use with Convex — authenticate Convex queries and mutations