Create the Google OAuth client

One client backs every Auth0 tenant. Do this once.

  1. Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID.
  2. Application type: Web application.
  3. Authorized redirect URI — add exactly this one value: 
    https://accounts.google.com.connectors.demo.a0.gg/callback
  4. Configure the OAuth consent screen: app name, support email, and the a0.gg homepage + privacy policy (see Production).
  5. Copy the client id/secret into Worker secrets: 
    wrangler secret put GOOGLE_CLIENT_ID
wrangler secret put GOOGLE_CLIENT_SECRET

Google only ever sees the single redirect URI above; the gateway fans logins out to each Auth0 tenant after the fact.