These features require Hercules Auth 2.0. Apps created before Hercules Auth 2.0 shipped need to
upgrade to use them.
How do I customize Auth Portal logo, colors, and appearance?
Go to Branding → Customize Auth Portal. You customize the Auth Portal’s colors, logo, terms and conditions, privacy policy and more. Learn more here.How do I customize login options?
Go to Branding → Customize Auth Portal in the sidebar to enable specific login methods for your users| Method | Default | Description |
|---|---|---|
| On | Sign in with a Google account | |
| Apple | On | Sign in with an Apple ID |
| Microsoft | On | Sign in with a Microsoft account (personal or work) |
| Email OTP | On | Sign in with a one-time code sent to email |
| Off | Sign in with a LinkedIn account |
How do I customize the Auth Portal’s domain?
By default, the Auth Portal uses a Hercules-managed domain (e.g.yourapp.hercules-auth.com). You can change this to auth.yourdomain.com so your users see your domain during sign-in. Configuration depends on how you connect your domain to your Hercules app.
| Domain setup | What to do |
|---|---|
| Purchased through Hercules | Nothing. auth.yourdomain.com is configured automatically. |
| 3rd party domain | After connecting your domain in Domains, click Enable auth portal on the domain. Hercules creates the auth domain and shows you the DNS records to add: a CNAME on auth pointing to the target shown in your dashboard. |
- SSL is provisioned automatically
- To use a subdomain other than
auth, contact hello@hercules.app - If users see a red “Deceptive site ahead” or “Dangerous site” warning when visiting
auth.yourdomain.com, the flag typically originates from your apex domain. See Google Safe Browsing warnings on your domain
How do I customize the email OTP email?
Go to Branding & SEO → Customize Auth Portal to customize the one-time passcode email your users receive when signing in with email:| Field | Description |
|---|---|
| Login Code Email Sender | Send from your own domain instead of hello@notifications.hercules.app. Configure a sender identity in Hercules Email first, then pick it here. |
| From Address | The local part before @yourdomain.com (for example, noreply or auth). Shown only when you select a domain identity. |
| Email Subject | The subject line of the OTP email. |
| App Name | The name used inside the email body. |
| Email Footer | A custom signature at the bottom of the email. |
How do I customize OAuth branding?
By default, your users see “Hercules” on the OAuth consent screen during social login. Use custom credentials to show your brand name, privacy policy, and terms of service instead. Go to Branding & SEO → Customize Auth Portal → Login Options, select a provider, and enter your OAuth credentials. After saving, Hercules gives you a Callback URL to add to your provider’s developer console. See provider-specific guides below.Google setup
Google setup
Create a Google Cloud project
Go to the Google Cloud Console. Create a new project or select an existing one.
Configure the OAuth consent screen
Go to APIs & Services → OAuth consent screen.
- Set the User Type to External (unless you are restricting to a Google Workspace organization)
- Fill in the App name, User support email, and Developer contact email
- Add your logo, privacy policy URL, and terms of service URL
- Under Scopes, add
openid,email, andprofile - Save
Google OAuth apps start in “Testing” status with a 100-user limit. To remove this limit, click Publish App and complete Google’s verification process. This can take several days.
Create OAuth credentials
Go to APIs & Services → Credentials → Create Credentials → OAuth client ID.
- Set Application type to Web application
- Under Authorized redirect URIs, add the Callback URL shown in Hercules (you can come back to this step after saving in Hercules)
- Click Create
- Copy the Client ID and Client Secret
Enter credentials in Hercules
Go to your app’s Auth settings → Google → Custom Credentials.
- Paste the Client ID and Client Secret
- Click Save
- Copy the Callback URL shown after saving
Microsoft setup
Microsoft setup
Register an app in Microsoft Entra ID
Go to the Microsoft Entra admin center → Identity → App registrations → New registration.
- Set a Name for the app (your users will see this)
- Under Supported account types, select Accounts in any organizational directory and personal Microsoft accounts (this covers both work and personal accounts)
- Under Redirect URI, select Web and enter the Callback URL shown in Hercules (you can come back to this step after saving in Hercules)
- Click Register
Create a client secret
In your app registration, go to Certificates & secrets → New client secret.
- Add a description and choose an expiry period
- Click Add
- Copy the Value (this is your Client Secret, shown only once)
Apple setup
Apple setup
Apple Sign In requires more setup than other providers because Apple uses a private key instead of a simple client secret.
Create an App ID
Go to the Apple Developer portal → Certificates, Identifiers & Profiles → Identifiers → click +.
- Select App IDs → Continue
- Select App → Continue
- Enter a Description and a Bundle ID (e.g.
com.yourcompany.yourapp) - Under Capabilities, check Sign In with Apple
- Click Continue → Register
Create a Services ID
Go to Identifiers → click + → select Services IDs → Continue.
- Enter a Description (your users will see this on the Apple consent screen)
- Enter an Identifier (e.g.
com.yourcompany.yourapp.auth) - Click Continue → Register
- Check Sign In with Apple → click Configure
- Under Domains and Subdomains, add the domain shown in the Hercules Callback URL (for example,
hercules-auth.com) - Under Return URLs, add the full Callback URL from Hercules
- Click Save → Continue → Save
Create a private key
Go to Keys → click +.
- Enter a Key Name
- Check Sign In with Apple → click Configure
- Select the App ID you created in Step 1
- Click Save → Continue → Register
- Download the
.p8key file. Store it securely. Apple only lets you download it once. - Note the Key ID shown on this page
Find your Team ID
Go to Membership details in the Apple Developer portal. Copy your Team ID (a 10-character string).
Enter credentials in Hercules
Go to your app’s Auth settings → Apple → Custom Credentials.
- Client ID: Enter the Identifier of your Services ID (from Step 2, e.g.
com.yourcompany.yourapp.auth) - Team ID: Paste your Team ID
- Key ID: Paste the Key ID from Step 3
- Private Key: Open the
.p8file in a text editor and paste the entire contents, including the-----BEGIN PRIVATE KEY-----and-----END PRIVATE KEY-----lines - Click Save
LinkedIn setup
LinkedIn setup
Create a LinkedIn app
Go to the LinkedIn Developer Portal → Create App.
- Enter an App name, LinkedIn Page, and Logo
- Accept the terms and click Create app
Add the Sign In with LinkedIn product
In your app’s Products tab, find Sign In with LinkedIn using OpenID Connect and click Request access.
Configure OAuth redirect
Go to the Auth tab.
- Under Authorized redirect URLs for your app, add the Callback URL from Hercules
- Copy the Client ID and Client Secret
- If you remove custom credentials, Hercules automatically falls back to its own managed credentials. Social login continues to work. Your users will see “Hercules” on the consent screen again.
- Custom OAuth credentials are available on the Business plan
Can I bring my own auth provider?
Currently, Hercules apps only support Hercules Auth. Authentication is a fragile part of building software. If auth breaks, your entire app can break. We prioritize making Hercules Auth a stable, well-supported, secure, and robust auth system. We are working on supporting custom auth providers in the future.Additional FAQ
I don't see these options in my dashboard
I don't see these options in my dashboard
Your app likely uses the previous Hercules Auth.
Upgrade to Hercules Auth 2.0 to unlock provider
toggles, your own developer accounts, custom auth domain, and email customization.
What's the difference between users and auth?
What's the difference between users and auth?
Auth is how your users prove their identity (sign in / sign up). Users is where you manage
the people who have signed up for your app, including their roles, permissions, and account
status. Configure auth options here; manage your user base in the Users, Roles &
Permissions tab.
Can I block disposable email addresses from signing up?
Can I block disposable email addresses from signing up?
Yes. Hercules Auth blocks throwaway and temporary email addresses (like Mailinator, Guerrilla
Mail, etc.) by default. This prevents spam signups. This applies to all email-based login methods
(email OTP, email + password, and social providers that return a disposable email).
Can I embed auth directly in my app?
Can I embed auth directly in my app?
Not currently. Hercules Auth works by redirecting to a Hercules-hosted Auth Portal. We are working
on allowing in-app authentication flows in the near future.
Do my users need to re-register when I change login methods?
Do my users need to re-register when I change login methods?
No. Existing users can sign in with any enabled method that matches their email address. If a user signed up with Google and you later enable Apple, they can sign in with Apple using the same email and both accounts are automatically linked.