# Auth
## Google Auth
This section describes how Plash Auth implements Google Auth client
side.
Please see the [how to](how_to/auth.html) for instructions on how to use
it.
### Redirect route
Exported source
``` python
signin_completed_rt = "/signin_completed"
```
The signin completion route is where Plash Auth redirects users after
authentication. Your app needs to add this route to complete the login.
------------------------------------------------------------------------
source
### mk_signin_url
``` python
def mk_signin_url(
session:dict, # Session dictionary
email_re:str=None, # Regex filter for allowed email addresses
hd_re:str=None, # Regex filter for allowed Google hosted domains
):
```
*Generate a Google Sign-In URL for Plash authentication.*
[`mk_signin_url`](https://AnswerDotAI.github.io/plash_cli/auth.html#mk_signin_url)
is the function your app calls to create a Google signin URL for the
user.
In development mode, it returns a mock URL to make testing easier.
In production, it calls the Plash Auth service and stores the request ID
in the session for later verification.
After Google authentication, Plash sends back a JSON Web Token (JWT)
containing the user’s information. This function decodes and validates
that token using the ES256 public key. If anything goes wrong with the
JWT, it returns error details instead of crashing.
> **Note**
>
> A JWT does not mean the message is encrypted. It ensures data
> integrity and authenticity, it protects against tampering and forgery.
> We use JWT tokens so your app can trust that the sign-in information
> and user details it receives after authentication really come from
> Plash (and by extension, Google), and have not been modified by an
> attacker.
------------------------------------------------------------------------
source
### PlashAuthError
``` python
def PlashAuthError(
args:VAR_POSITIONAL, kwargs:VAR_KEYWORD
):
```
*Raised when Plash authentication fails*
[`PlashAuthError`](https://AnswerDotAI.github.io/plash_cli/auth.html#plashautherror)
is a custom exception for when authentication fails. This makes it
easier for your app to handle auth errors specifically.
Please see the [auth
example](https://github.com/AnswerDotAI/plash_cli/blob/main/examples/auth/main.py)
for an example on how you can catch this exception in your application.
------------------------------------------------------------------------
source
### goog_id_from_signin_reply
``` python
def goog_id_from_signin_reply(
session:dict, # Session dictionary containing 'req_id'
reply:str, # The JWT reply string from Plash after Google authentication
):
```
*Validate Google sign-in reply and returns Google user ID if valid.*
[`goog_id_from_signin_reply`](https://AnswerDotAI.github.io/plash_cli/auth.html#goog_id_from_signin_reply)
is the function your app calls in the signin completion route. It
verifies the JWT reply matches the original request (preventing CSRF
attacks), checks for any authentication errors, and returns the user’s
Google ID if everything is valid.
When testing locally this will always return the mock Google ID
`'424242424242424242424'`.
## Magic Link
Pla.sh provides a service where you can send magic links for sign-up or
login to your users for free.
------------------------------------------------------------------------
source
### send_magiclink
``` python
def send_magiclink(
email:str, # Email address to send magic link to
url:str, # Magic link URL (must match app's domain)
):
```
*Send a magic link email to the given address via Plash Auth.*