Account linking (Google / Facebook / X / LinkedIn)¶

Users can link their Little X Little account to one or more upstream identity providers. Once linked, signing in with that provider logs them straight into LXL — no password.

Supported providers¶

User-facing flow¶

The login page (/login) renders provider buttons automatically:

html <a href="/auth/google">Continue with Google</a> <a href="/auth/facebook">Continue with Facebook</a> <a href="/auth/twitter">Continue with X</a> <a href="/auth/linkedin">Continue with LinkedIn</a>

When the user returns from the provider:

1. We look up account_links by (provider, provider_subject).
2. Match found: log in that LXL account immediately.
3. No match, email matches an existing LXL account: prompt for OTP-to-email, then link.
4. No match, email is new: create a fresh LXL account and link.

Linking from inside an existing session¶

html <a href="/auth/google?action=link">Link Google to my account</a>

After the round-trip, the provider identity is attached to the currently-logged-in account.

Unlinking¶

```html

```

Unlinking immediately revokes any refresh tokens issued via that provider link.

API access¶

Linked accounts surface in the lxl.links claim of the id_token:

json { "sub": "Bootim", "email": "you@example.org", "lxl.links": ["google", "linkedin"] }

Anti-takeover protection¶

When a Google login's email matches an existing LXL account that has never signed in via Google, we require an OTP-to-email confirmation before linking. This prevents an attacker who compromises a Google account from automatically gaining access to the LXL account that happens to share the email.

This protection is on by default and cannot be disabled.

Webhook events¶

See Webhook events for the payload shape.