Skip to content

Getting Started

This guide covers everything that’s shared across providers: installing the package, wiring it into your Django project, and turning on JWT auth. Each OAuth provider then gets its own short guide for credentials, settings, and endpoints - so once you’ve finished this page, jump to the provider you actually want.

RequirementVersion
Python3.12+
Django5.0+
Django REST Framework3.15+

Installing the package pulls in djangorestframework-simplejwt, google-auth, and requests automatically. You don’t need to add them yourself.

Terminal window
pip install django-social-auth-rest

Let’s wire up django-social-auth-rest in your Django project. The steps below are the same for every provider - you only need to configure the provider-specific credentials and URLs once you’ve finished this section.

  1. Register the app.

    # settings.py
    INSTALLED_APPS = [
    # ...
    "rest_framework",
    "django_social_auth_rest",
    ]
  2. Switch DRF to JWT authentication.

    # settings.py
    REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": (
    "rest_framework_simplejwt.authentication.JWTAuthentication",
    ),
    }

    If your project already authenticates with djangorestframework-simplejwt, you can skip this - every login, link, and signup call from this package returns standard SimpleJWT tokens.

  3. Tune token lifetimes

    # settings.py
    from datetime import timedelta
    SIMPLE_JWT = {
    "AUTH_HEADER_TYPES": ("Bearer",),
    "ACCESS_TOKEN_LIFETIME": timedelta(minutes=60),
    "REFRESH_TOKEN_LIFETIME": timedelta(days=1),
    "ROTATE_REFRESH_TOKENS": True,
    "BLACKLIST_AFTER_ROTATION": True,
    }

    These are SimpleJWT defaults, not package-specific settings - shown here because most projects end up setting them anyway.

  4. Set a real state-signing salt.

    # settings.py
    SOCIAL_AUTH_STATE_SALT = "a-long-random-secret-value"
  5. Run migrations.

    Terminal window
    python manage.py migrate

A provider only becomes active once its credentials are present in settings - there’s nothing to comment out, and no dead endpoints to guard against if you skip one.

# settings.py
# GitHub (requires both values)
GITHUB_CLIENT_ID = "your-github-client-id"
GITHUB_CLIENT_SECRET = "your-github-client-secret"
# Google (requires only the client ID)
GOOGLE_CLIENT_ID = "your-google-client-id"
# ...add more providers as you enable them

Include the base module plus one module per provider you’re using:

# urls.py
from django.urls import path, include
urlpatterns = [
path("api/social-auth/", include("django_social_auth_rest.urls")),
path("api/social-auth/", include("django_social_auth_rest.urls.github")),
path("api/social-auth/", include("django_social_auth_rest.urls.google")),
# ... add more provider modules as you enable them
]

The base module (django_social_auth_rest.urls) is always required - it exposes linked-accounts, which works regardless of which providers you’ve enabled. The provider-specific modules are only needed for providers you’ve actually configured.

Nothing stops a normal username/password signup from reusing an email that’s already tied to a linked social account - that’s a gap in your signup flow, not this package’s, since it doesn’t control how you create users. If your app has its own signup endpoint, check against SocialAccountLinked before creating the user:

class SignupSerializer(serializers.Serializer):
# ...
def validate(self, attrs):
attrs = super().validate(attrs)
email = attrs.get("email", "").strip().lower()
if SocialAccountLinked.objects.filter(email_linked=email).exists():
raise serializers.ValidationError(
{"email": ["An account already exists for this email."]}
)
return attrs

These all have sensible defaults - most projects never touch them.

SettingDefaultWhat it does
SOCIAL_AUTH_THROTTLE_RATE"10/minute"Request rate limit applied to every auth endpoint
SOCIAL_AUTH_STATE_MAX_AGE300Seconds before a state token expires
SOCIAL_AUTH_USER_DELETED_FIELDNoneBoolean field on your user model marking soft-deleted accounts
# settings.py
SOCIAL_AUTH_THROTTLE_RATE = "20/minute"

Rate limit applied to all authentication endpoints exposed by django-social-auth-rest.

The value uses Django REST Framework throttle rate syntax:

  • "10/minute"
  • "100/hour"
  • "1000/day"

Most projects can keep the default value.

Default: "10/minute"

django-social-auth-rest provides more than just login and account linking endpoints.

The package also emits Django signals that let you react to authentication events throughout your application. Common use cases include:

  • Creating user profiles automatically
  • Sending welcome emails
  • Tracking signups and logins for analytics
  • Awarding onboarding rewards
  • Syncing user data with external services

Available signals:

SignalTriggered when
new_user_registeredA new user account is created through social authentication
login_successfulA user successfully signs in with a social provider
link_account_successfulA social account is linked to an existing user
unlink_account_successfulA linked social account is removed from a user

See the Signals Reference for usage examples and available signal payloads.