OAuth in production

Checklist for Sign in with X on a public host (e.g. liveandletdev.com).

X Developer Portal

  1. Create or use an existing OAuth 2.0 app with user context.

  2. Set Callback URL exactly to your API callback:

    • https://liveandletdev.com/api/auth/x/callback

  3. Enable scopes required by the app (read timeline, user profile — match server/oauth/ scope list).

  4. Copy Client ID and Client Secret into server .env.

Server .env

X_CLIENT_ID=...
X_CLIENT_SECRET=...
X_REDIRECT_URI=https://liveandletdev.com/api/auth/x/callback
FRONTEND_URL=https://liveandletdev.com
IFIXEDX_SESSION_SECRET=<long random string, at least 16 characters>
NODE_ENV=production

IFIXEDX_SESSION_SECRET is mandatory in production — without it, callback cannot sign ix_session.

Reverse proxy

  • TLS terminates at nginx; API routes under /api/ proxy to Node.

  • Cookie secure flag expects HTTPS.

Verify

  1. Open https://liveandletdev.com/?page=account

  2. Sign in with X → approve on X → return to app

  3. GET /api/auth/me returns signedIn: true

  4. Home → Timeline source Live X → refresh works

Common failures

Symptom

Fix

Redirect mismatch

X_REDIRECT_URI must match portal character-for-character

Sign-in loops / no session

Set IFIXEDX_SESSION_SECRET; restart API

Live timeline 401

User revoked app or session expired — sign in again

Cookie not sent

Same-site origin: frontend and API on same site host, credentials: include