Skip to main content
Self-hosted instances connect OAuth apps with your own credentials: you create an OAuth app with each provider, and OneCLI uses its client ID and secret. There are two ways to supply them:
  • Dashboard: enter the credentials when connecting the app. Values saved in the dashboard take precedence.
  • Environment variables: set the variables below on the container, and the app is ready to connect the moment the instance starts. This is the way to bake app configuration into your deployment.
Whichever way you configure an app, register its OAuth callback URL with the provider:
{APP_URL}/v1/apps/{provider}/callback
For example, https://onecli.internal.example.com/v1/apps/dropbox/callback. Per-provider setup is covered in the integration guides.

Available in both editions

AppProvider IDEnvironment variables
GitHubgithubGITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET
GitHub Appgithub-appGITHUB_APP_ID, GITHUB_APP_SLUG, GITHUB_APP_PRIVATE_KEY
GmailgmailGOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
Google Calendargoogle-calendarGOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
Google Drivegoogle-driveGOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
Google Search Consolegoogle-search-consoleGOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
YouTubeyoutubeGOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET
JirajiraATLASSIAN_CLIENT_ID, ATLASSIAN_CLIENT_SECRET
ConfluenceconfluenceATLASSIAN_CLIENT_ID, ATLASSIAN_CLIENT_SECRET
DropboxdropboxDROPBOX_CLIENT_ID, DROPBOX_CLIENT_SECRET
LinkedInlinkedinLINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET
Monday.commondayMONDAY_CLIENT_ID, MONDAY_CLIENT_SECRET
NotionnotionNOTION_CLIENT_ID, NOTION_CLIENT_SECRET
SupabasesupabaseSUPABASE_CLIENT_ID, SUPABASE_CLIENT_SECRET
TodoisttodoistTODOIST_CLIENT_ID, TODOIST_CLIENT_SECRET
TrellotrelloTRELLO_API_KEY, TRELLO_API_SECRET
One Google OAuth app serves all the Google integrations, and one Atlassian app serves Jira and Confluence. The same GOOGLE_* and ATLASSIAN_* values apply across their rows.

Enterprise edition only

These apps ship with the Enterprise all-in-one image:
AppProvider IDEnvironment variables
AttioattioATTIO_CLIENT_ID, ATTIO_CLIENT_SECRET
FathomfathomFATHOM_CLIENT_ID, FATHOM_CLIENT_SECRET
HubSpothubspotHUBSPOT_CLIENT_ID, HUBSPOT_CLIENT_SECRET
LinearlinearLINEAR_CLIENT_ID, LINEAR_CLIENT_SECRET
Microsoft OneNotemicrosoft-onenoteMICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET
Microsoft Wordmicrosoft-wordMICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET
Outlook Calendaroutlook-calendarMICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET
Outlook Mailoutlook-mailMICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET
SentrysentrySENTRY_CLIENT_ID, SENTRY_CLIENT_SECRET
SlackslackSLACK_CLIENT_ID, SLACK_CLIENT_SECRET
ZoomzoomZOOM_CLIENT_ID, ZOOM_CLIENT_SECRET
One Microsoft Entra app registration serves all four Microsoft integrations; the same MICROSOFT_* values apply across their rows.

Dashboard configuration only

These OAuth apps don’t read environment variables yet. Enter their credentials in the dashboard when connecting:
  • Google Docs, Google Sheets, Google Slides, Google Forms, Google Meet, Google Photos, Google Tasks, Google Admin, Google Analytics, Google Classroom, Google Chat, Google Contacts
  • GitLab
  • X (Twitter)

No deploy-time credentials

Apps that authenticate with per-connection API keys, tokens, or roles need no app-level configuration. Users supply their credential when connecting in the dashboard: AWS, Cloudflare, Datadog, Fly.io, MongoDB Atlas, Resend, Vertex AI, and on Enterprise also Affinity and Granola.

Example

A slim deployment with Dropbox and the Google apps pre-configured adds the variables to the compose environment:
docker-compose.yml
  onecli:
    image: onecli/slim:latest
    environment:
      DATABASE_URL: postgresql://onecli:${POSTGRES_PASSWORD}@postgres:5432/onecli
      APP_URL: https://onecli.internal.example.com
      ONECLI_ORG_API_KEY: ${ONECLI_ORG_API_KEY}
      DROPBOX_CLIENT_ID: ${DROPBOX_CLIENT_ID}
      DROPBOX_CLIENT_SECRET: ${DROPBOX_CLIENT_SECRET}
      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET}