From 2b5eebcd226de44927feb707c089b3062fd0af73 Mon Sep 17 00:00:00 2001
From: Zai Shi <zaishi00@outlook.com>
Date: Fri, 1 Aug 2025 18:28:27 +0200
Subject: [PATCH] Config override CRUD (#803)

<!--

Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md

-->

<!-- ELLIPSIS_HIDDEN -->


----

> [!IMPORTANT]
> Add admin-only API endpoints and UI support for project configuration
overrides, with comprehensive tests and documentation updates.
>
>   - **New Features**:
> - Added admin-only API endpoints for reading and updating project
configuration overrides in `config/crud.tsx` and
`config/override/crud.tsx`.
> - Admin app supports fetching, caching, and updating configuration
overrides with new React hooks in `admin-app-impl.ts`.
>   - **Bug Fixes**:
> - Validation and error handling for OAuth providers, duplicate IDs,
and invalid config fields in `oauth-providers/crud.tsx`.
>   - **Tests**:
> - Added end-to-end tests for configuration management and validation
errors in `config.test.ts` and `js/config.test.ts`.
>   - **Documentation**:
> - Updated API documentation for new config override endpoints in
`config.ts`.
>
> <sup>This description was created by </sup>[<img alt="Ellipsis"
src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup>
for 3d20abc0920052edf758a4201918c654d372f3f1. You can
[customize](https://app.ellipsis.dev/stack-auth/settings/summaries) this
summary. It will automatically update as commits are pushed.</sup>

----


<!-- ELLIPSIS_HIDDEN -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added the ability for admins to view and update project configuration
overrides through new internal API endpoints.
* Extended the admin app to support fetching, updating, and caching
configuration overrides, including React hook support for real-time
config usage.
* Introduced new admin interface methods for retrieving and updating
configuration.

* **Bug Fixes**
* Improved validation and error handling for configuration updates,
including checks for duplicate or invalid OAuth provider entries and
non-existent configuration fields.

* **Tests**
* Added comprehensive end-to-end tests covering configuration retrieval,
updates, access control, OAuth provider management, and domain
management.

* **Documentation**
* Enhanced API documentation for configuration management endpoints and
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: Konsti Wohlwend <n2d4xc@gmail.com>
---
 apps/backend/prisma/seed.ts                   |   8 +-
 .../custom/projects/provision/route.tsx       |   4 +-
 .../neon/oauth-providers/crud.tsx             |   8 +-
 .../neon/projects/provision/route.tsx         |   4 +-
 .../app/api/latest/internal/config/crud.tsx   |  13 +
 .../latest/internal/config/override/crud.tsx  |  49 ++
 .../latest/internal/config/override/route.tsx |   3 +
 .../app/api/latest/internal/config/route.tsx  |   3 +
 .../app/api/latest/internal/projects/crud.tsx |   4 +-
 .../latest/internal/projects/current/crud.tsx |   4 +-
 apps/backend/src/lib/projects.tsx             |   2 +-
 .../endpoints/api/v1/internal/config.test.ts  | 533 ++++++++++++++++++
 apps/e2e/tests/js/config.test.ts              |  64 +++
 .../src/interface/admin-interface.ts          |  25 +-
 .../stack-shared/src/interface/crud/config.ts |  38 ++
 .../apps/implementations/admin-app-impl.ts    |  27 +-
 .../src/lib/stack-app/projects/index.ts       |   7 +
 17 files changed, 776 insertions(+), 20 deletions(-)
 create mode 100644 apps/backend/src/app/api/latest/internal/config/crud.tsx
 create mode 100644 apps/backend/src/app/api/latest/internal/config/override/crud.tsx
 create mode 100644 apps/backend/src/app/api/latest/internal/config/override/route.tsx
 create mode 100644 apps/backend/src/app/api/latest/internal/config/route.tsx
 create mode 100644 apps/e2e/tests/backend/endpoints/api/v1/internal/config.test.ts
 create mode 100644 apps/e2e/tests/js/config.test.ts
 create mode 100644 packages/stack-shared/src/interface/crud/config.ts

diff --git a/apps/backend/prisma/seed.ts b/apps/backend/prisma/seed.ts
index 98e78d1df..930734de4 100644
--- a/apps/backend/prisma/seed.ts
+++ b/apps/backend/prisma/seed.ts
@@ -1,6 +1,6 @@
 /* eslint-disable no-restricted-syntax */
 import { usersCrudHandlers } from '@/app/api/latest/users/crud';
-import { createOrUpdateProject, getProject } from '@/lib/projects';
+import { createOrUpdateProjectWithLegacyConfig, getProject } from '@/lib/projects';
 import { DEFAULT_BRANCH_ID, getSoleTenancyFromProjectBranch } from '@/lib/tenancies';
 import { getPrismaClientForTenancy } from '@/prisma-client';
 import { PrismaClient } from '@prisma/client';
@@ -34,7 +34,7 @@ async function seed() {
   let internalProject = await getProject('internal');
 
   if (!internalProject) {
-    internalProject = await createOrUpdateProject({
+    internalProject = await createOrUpdateProjectWithLegacyConfig({
       type: 'create',
       projectId: 'internal',
       data: {
@@ -60,7 +60,7 @@ async function seed() {
   const internalTenancy = await getSoleTenancyFromProjectBranch("internal", DEFAULT_BRANCH_ID);
   const internalPrisma = await getPrismaClientForTenancy(internalTenancy);
 
-  internalProject = await createOrUpdateProject({
+  internalProject = await createOrUpdateProjectWithLegacyConfig({
     projectId: 'internal',
     branchId: DEFAULT_BRANCH_ID,
     type: 'update',
@@ -235,7 +235,7 @@ async function seed() {
     if (existingProject) {
       console.log('Emulator project already exists, skipping creation');
     } else {
-      await createOrUpdateProject({
+      await createOrUpdateProjectWithLegacyConfig({
         projectId: emulatorProjectId,
         type: 'create',
         data: {
diff --git a/apps/backend/src/app/api/latest/integrations/custom/projects/provision/route.tsx b/apps/backend/src/app/api/latest/integrations/custom/projects/provision/route.tsx
index a27ea921a..fe6d71d23 100644
--- a/apps/backend/src/app/api/latest/integrations/custom/projects/provision/route.tsx
+++ b/apps/backend/src/app/api/latest/integrations/custom/projects/provision/route.tsx
@@ -1,5 +1,5 @@
 import { createApiKeySet } from "@/lib/internal-api-keys";
-import { createOrUpdateProject } from "@/lib/projects";
+import { createOrUpdateProjectWithLegacyConfig } from "@/lib/projects";
 import { globalPrismaClient } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { neonAuthorizationHeaderSchema, projectDisplayNameSchema, yupNumber, yupObject, yupString, yupTuple } from "@stackframe/stack-shared/dist/schema-fields";
@@ -28,7 +28,7 @@ export const POST = createSmartRouteHandler({
   handler: async (req) => {
     const [clientId] = decodeBasicAuthorizationHeader(req.headers.authorization[0])!;
 
-    const createdProject = await createOrUpdateProject({
+    const createdProject = await createOrUpdateProjectWithLegacyConfig({
       ownerIds: [],
       type: 'create',
       data: {
diff --git a/apps/backend/src/app/api/latest/integrations/neon/oauth-providers/crud.tsx b/apps/backend/src/app/api/latest/integrations/neon/oauth-providers/crud.tsx
index ddb294e3a..858018bc5 100644
--- a/apps/backend/src/app/api/latest/integrations/neon/oauth-providers/crud.tsx
+++ b/apps/backend/src/app/api/latest/integrations/neon/oauth-providers/crud.tsx
@@ -1,4 +1,4 @@
-import { createOrUpdateProject } from "@/lib/projects";
+import { createOrUpdateProjectWithLegacyConfig } from "@/lib/projects";
 import { Tenancy, getTenancy } from "@/lib/tenancies";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
 import { createCrud } from "@stackframe/stack-shared/dist/crud";
@@ -97,7 +97,7 @@ export const oauthProvidersCrudHandlers = createLazyProxy(() => createCrudHandle
       throw new StatusError(StatusError.BadRequest, 'OAuth provider already exists');
     }
 
-    await createOrUpdateProject({
+    await createOrUpdateProjectWithLegacyConfig({
       type: 'update',
       projectId: auth.project.id,
       branchId: auth.branchId,
@@ -124,7 +124,7 @@ export const oauthProvidersCrudHandlers = createLazyProxy(() => createCrudHandle
       throw new StatusError(StatusError.NotFound, 'OAuth provider not found');
     }
 
-    await createOrUpdateProject({
+    await createOrUpdateProjectWithLegacyConfig({
       type: 'update',
       projectId: auth.project.id,
       branchId: auth.branchId,
@@ -153,7 +153,7 @@ export const oauthProvidersCrudHandlers = createLazyProxy(() => createCrudHandle
       throw new StatusError(StatusError.NotFound, 'OAuth provider not found');
     }
 
-    await createOrUpdateProject({
+    await createOrUpdateProjectWithLegacyConfig({
       type: 'update',
       projectId: auth.project.id,
       branchId: auth.branchId,
diff --git a/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx b/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx
index c29cff49c..08429661e 100644
--- a/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx
+++ b/apps/backend/src/app/api/latest/integrations/neon/projects/provision/route.tsx
@@ -1,5 +1,5 @@
 import { createApiKeySet } from "@/lib/internal-api-keys";
-import { createOrUpdateProject } from "@/lib/projects";
+import { createOrUpdateProjectWithLegacyConfig } from "@/lib/projects";
 import { globalPrismaClient } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { neonAuthorizationHeaderSchema, projectDisplayNameSchema, yupArray, yupNumber, yupObject, yupString, yupTuple } from "@stackframe/stack-shared/dist/schema-fields";
@@ -32,7 +32,7 @@ export const POST = createSmartRouteHandler({
   handler: async (req) => {
     const [clientId] = decodeBasicAuthorizationHeader(req.headers.authorization[0])!;
 
-    const createdProject = await createOrUpdateProject({
+    const createdProject = await createOrUpdateProjectWithLegacyConfig({
       ownerIds: [],
       sourceOfTruth: req.body.connection_strings ? {
         type: 'neon',
diff --git a/apps/backend/src/app/api/latest/internal/config/crud.tsx b/apps/backend/src/app/api/latest/internal/config/crud.tsx
new file mode 100644
index 000000000..03ed2092e
--- /dev/null
+++ b/apps/backend/src/app/api/latest/internal/config/crud.tsx
@@ -0,0 +1,13 @@
+import { createCrudHandlers } from "@/route-handlers/crud-handler";
+import { configCrud } from "@stackframe/stack-shared/dist/interface/crud/config";
+import { yupObject } from "@stackframe/stack-shared/dist/schema-fields";
+import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
+
+export const configCrudHandlers = createLazyProxy(() => createCrudHandlers(configCrud, {
+  paramsSchema: yupObject({}),
+  onRead: async ({ auth }) => {
+    return {
+      config_string: JSON.stringify(auth.tenancy.config),
+    };
+  },
+}));
diff --git a/apps/backend/src/app/api/latest/internal/config/override/crud.tsx b/apps/backend/src/app/api/latest/internal/config/override/crud.tsx
new file mode 100644
index 000000000..c16e35228
--- /dev/null
+++ b/apps/backend/src/app/api/latest/internal/config/override/crud.tsx
@@ -0,0 +1,49 @@
+import { getRenderedEnvironmentConfigQuery, overrideEnvironmentConfigOverride, validateEnvironmentConfigOverride } from "@/lib/config";
+import { globalPrismaClient, rawQuery } from "@/prisma-client";
+import { createCrudHandlers } from "@/route-handlers/crud-handler";
+import { configOverrideCrud } from "@stackframe/stack-shared/dist/interface/crud/config";
+import { yupObject } from "@stackframe/stack-shared/dist/schema-fields";
+import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
+import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
+
+export const configOverridesCrudHandlers = createLazyProxy(() => createCrudHandlers(configOverrideCrud, {
+  paramsSchema: yupObject({}),
+  onUpdate: async ({ auth, data }) => {
+    if (data.config_override_string) {
+      let parsedConfig;
+      try {
+        parsedConfig = JSON.parse(data.config_override_string);
+      } catch (e) {
+        if (e instanceof SyntaxError) {
+          throw new StatusError(StatusError.BadRequest, 'Invalid config JSON');
+        }
+        throw e;
+      }
+
+      const validationResult = await validateEnvironmentConfigOverride({
+        environmentConfigOverride: parsedConfig,
+        branchId: auth.tenancy.branchId,
+        projectId: auth.tenancy.project.id,
+      });
+
+      if (validationResult.status === "error") {
+        throw new StatusError(StatusError.BadRequest, validationResult.error);
+      }
+
+      await overrideEnvironmentConfigOverride({
+        projectId: auth.tenancy.project.id,
+        branchId: auth.tenancy.branchId,
+        environmentConfigOverrideOverride: parsedConfig,
+      });
+    }
+
+    const updatedConfig = await rawQuery(globalPrismaClient, getRenderedEnvironmentConfigQuery({
+      projectId: auth.tenancy.project.id,
+      branchId: auth.tenancy.branchId,
+    }));
+
+    return {
+      config_override_string: JSON.stringify(updatedConfig),
+    };
+  },
+}));
diff --git a/apps/backend/src/app/api/latest/internal/config/override/route.tsx b/apps/backend/src/app/api/latest/internal/config/override/route.tsx
new file mode 100644
index 000000000..9fc6faa6f
--- /dev/null
+++ b/apps/backend/src/app/api/latest/internal/config/override/route.tsx
@@ -0,0 +1,3 @@
+import { configOverridesCrudHandlers } from "./crud";
+
+export const PATCH = configOverridesCrudHandlers.updateHandler;
diff --git a/apps/backend/src/app/api/latest/internal/config/route.tsx b/apps/backend/src/app/api/latest/internal/config/route.tsx
new file mode 100644
index 000000000..014d6a7ba
--- /dev/null
+++ b/apps/backend/src/app/api/latest/internal/config/route.tsx
@@ -0,0 +1,3 @@
+import { configCrudHandlers } from "./crud";
+
+export const GET = configCrudHandlers.readHandler;
diff --git a/apps/backend/src/app/api/latest/internal/projects/crud.tsx b/apps/backend/src/app/api/latest/internal/projects/crud.tsx
index 83c4a14bc..d945f4d56 100644
--- a/apps/backend/src/app/api/latest/internal/projects/crud.tsx
+++ b/apps/backend/src/app/api/latest/internal/projects/crud.tsx
@@ -1,5 +1,5 @@
 import { renderedOrganizationConfigToProjectCrud } from "@/lib/config";
-import { createOrUpdateProject, getProjectQuery, listManagedProjectIds } from "@/lib/projects";
+import { createOrUpdateProjectWithLegacyConfig, getProjectQuery, listManagedProjectIds } from "@/lib/projects";
 import { DEFAULT_BRANCH_ID, getSoleTenancyFromProjectBranch } from "@/lib/tenancies";
 import { globalPrismaClient, rawQueryAll } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
@@ -30,7 +30,7 @@ export const adminUserProjectsCrudHandlers = createLazyProxy(() => createCrudHan
     const ownerPack = ownerPacks.find(p => p.has(user.id));
     const userIds = ownerPack ? [...ownerPack] : [user.id];
 
-    const project = await createOrUpdateProject({
+    const project = await createOrUpdateProjectWithLegacyConfig({
       ownerIds: userIds,
       type: 'create',
       data: {
diff --git a/apps/backend/src/app/api/latest/internal/projects/current/crud.tsx b/apps/backend/src/app/api/latest/internal/projects/current/crud.tsx
index b929d8fae..e1c4e48a6 100644
--- a/apps/backend/src/app/api/latest/internal/projects/current/crud.tsx
+++ b/apps/backend/src/app/api/latest/internal/projects/current/crud.tsx
@@ -1,5 +1,5 @@
 import { renderedOrganizationConfigToProjectCrud } from "@/lib/config";
-import { createOrUpdateProject } from "@/lib/projects";
+import { createOrUpdateProjectWithLegacyConfig } from "@/lib/projects";
 import { getTenancy } from "@/lib/tenancies";
 import { getPrismaClientForTenancy, globalPrismaClient } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
@@ -17,7 +17,7 @@ export const projectsCrudHandlers = createLazyProxy(() => createCrudHandlers(pro
     ) {
       throw new StatusError(400, "Invalid email theme");
     }
-    const project = await createOrUpdateProject({
+    const project = await createOrUpdateProjectWithLegacyConfig({
       type: "update",
       projectId: auth.project.id,
       branchId: auth.branchId,
diff --git a/apps/backend/src/lib/projects.tsx b/apps/backend/src/lib/projects.tsx
index ae13aa461..dc62a4d7f 100644
--- a/apps/backend/src/lib/projects.tsx
+++ b/apps/backend/src/lib/projects.tsx
@@ -60,7 +60,7 @@ export async function getProject(projectId: string): Promise<Omit<ProjectsCrud["
   return result;
 }
 
-export async function createOrUpdateProject(
+export async function createOrUpdateProjectWithLegacyConfig(
   options: {
     ownerIds?: string[],
     sourceOfTruth?: ProjectConfigOverrideOverride["sourceOfTruth"],
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/internal/config.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/internal/config.test.ts
new file mode 100644
index 000000000..6ed52f3ae
--- /dev/null
+++ b/apps/e2e/tests/backend/endpoints/api/v1/internal/config.test.ts
@@ -0,0 +1,533 @@
+import { pick } from "@stackframe/stack-shared/dist/utils/objects";
+import { it } from "../../../../../helpers";
+import { Project, niceBackendFetch } from "../../../../backend-helpers";
+
+
+it("client and server should not have access to config overrides", async ({ expect }) => {
+  await Project.createAndSwitch();
+
+  // Test client access
+  const clientResponse = await niceBackendFetch("/api/v1/internal/config", {
+    accessType: "client"
+  });
+  expect(clientResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 401,
+      "body": {
+        "code": "INSUFFICIENT_ACCESS_TYPE",
+        "details": {
+          "actual_access_type": "client",
+          "allowed_access_types": ["admin"],
+        },
+        "error": "The x-stack-access-type header must be 'admin', but was 'client'.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "INSUFFICIENT_ACCESS_TYPE",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+
+  // Test server access
+  const serverResponse = await niceBackendFetch("/api/v1/internal/config", {
+    accessType: "server"
+  });
+  expect(serverResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 401,
+      "body": {
+        "code": "INSUFFICIENT_ACCESS_TYPE",
+        "details": {
+          "actual_access_type": "server",
+          "allowed_access_types": ["admin"],
+        },
+        "error": "The x-stack-access-type header must be 'admin', but was 'server'.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "INSUFFICIENT_ACCESS_TYPE",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("gets config", async ({ expect }) => {
+  const { adminAccessToken } = await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+
+  const response = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  expect(response.status).toBe(200);
+  const parsedConfig = JSON.parse(response.body.config_string);
+  expect(pick(parsedConfig, ["auth", "domains", 'users', 'teams'])).toMatchInlineSnapshot(`
+    {
+      "auth": {
+        "allowSignUp": true,
+        "oauth": {
+          "accountMergeStrategy": "link_method",
+          "providers": {},
+        },
+        "otp": { "allowSignIn": true },
+        "passkey": { "allowSignIn": false },
+        "password": { "allowSignIn": true },
+      },
+      "domains": {
+        "allowLocalhost": true,
+        "trustedDomains": {},
+      },
+      "teams": {
+        "allowClientTeamCreation": false,
+        "createPersonalTeamOnSignUp": false,
+      },
+      "users": { "allowClientUserDeletion": false },
+    }
+  `);
+});
+
+it("updates basic config", async ({ expect }) => {
+  const { adminAccessToken } = await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+
+  // Get initial config
+  const initialResponse = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  expect(initialResponse.status).toBe(200);
+  const initialConfig = JSON.parse(initialResponse.body.config_string);
+
+  expect(initialConfig.users.allowClientUserDeletion).toBe(false);
+  expect(initialConfig.teams.allowClientTeamCreation).toBe(false);
+  expect(initialConfig.teams.createPersonalTeamOnSignUp).toBe(false);
+
+  const updateResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'users.allowClientUserDeletion': true,
+        'teams.allowClientTeamCreation': true,
+        'teams.createPersonalTeamOnSignUp': true,
+      }),
+    },
+  });
+  expect(updateResponse.status).toBe(200);
+
+  // Verify the changes are persisted by making another GET request
+  const verifyResponse = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  expect(verifyResponse.status).toBe(200);
+  const updatedConfig = JSON.parse(verifyResponse.body.config_string);
+  expect(updatedConfig.users.allowClientUserDeletion).toBe(true);
+  expect(updatedConfig.teams.allowClientTeamCreation).toBe(true);
+  expect(updatedConfig.teams.createPersonalTeamOnSignUp).toBe(true);
+});
+
+it("adds, updates, and removes oauth config", async ({ expect }) => {
+  const { adminAccessToken } = await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+
+  // Get initial config to verify no OAuth providers exist
+  const initialResponse = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  expect(initialResponse.status).toBe(200);
+  const initialConfig = JSON.parse(initialResponse.body.config_string);
+  expect(initialConfig.auth.oauth.providers).toEqual({});
+
+  // Add a Google OAuth provider
+  const addGoogleResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'auth.oauth.providers.google': {
+          type: 'google',
+          isShared: false,
+          clientId: 'google-client-id',
+          clientSecret: 'google-client-secret',
+          allowSignIn: true,
+          allowConnectedAccounts: true,
+        },
+      }),
+    },
+  });
+
+  expect(addGoogleResponse.status).toBe(200);
+
+  // Add a second OAuth provider (GitHub)
+  const addGithubResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'auth.oauth.providers.github': {
+          type: 'github',
+          isShared: true,
+          allowSignIn: true,
+          allowConnectedAccounts: false,
+        },
+      }),
+    },
+  });
+
+  expect(addGithubResponse.status).toBe(200);
+
+  const configResponse = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  const configWithBoth = JSON.parse(configResponse.body.config_string);
+  expect(configWithBoth.auth.oauth.providers.google).toBeDefined();
+  expect(configWithBoth.auth.oauth.providers.github).toEqual({
+    type: 'github',
+    isShared: true,
+    allowSignIn: true,
+    allowConnectedAccounts: false,
+  });
+
+  // Update the Google OAuth provider
+  const updateGoogleResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'auth.oauth.providers.google': {
+          type: 'google',
+          isShared: true,
+          allowSignIn: false,
+          allowConnectedAccounts: true,
+        },
+      }),
+    },
+  });
+
+  expect(updateGoogleResponse.status).toBe(200);
+
+  const configResponse2 = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+  const configWithUpdatedGoogle = JSON.parse(configResponse2.body.config_string);
+  expect(configWithUpdatedGoogle.auth.oauth.providers.google).toEqual({
+    type: 'google',
+    isShared: true,
+    allowSignIn: false,
+    allowConnectedAccounts: true,
+  });
+  // GitHub should still be there
+  expect(configWithUpdatedGoogle.auth.oauth.providers.github).toBeDefined();
+
+  // Remove the GitHub OAuth provider
+  const removeGithubResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'auth.oauth.providers.github': null,
+      }),
+    },
+  });
+
+  expect(removeGithubResponse.status).toBe(200);
+
+  const configResponse3 = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+  const configWithoutGithub = JSON.parse(configResponse3.body.config_string);
+  expect(configWithoutGithub.auth.oauth.providers.github).toBeUndefined();
+  // Google should still be there
+  expect(configWithoutGithub.auth.oauth.providers.google).toBeDefined();
+});
+
+it("doesn't allow duplicated oauth ids", async ({ expect }) => {
+  const { adminAccessToken } = await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+
+  // However, trying to create multiple providers with same OAuth ID in single request should fail
+  // or at minimum, only the last one should be applied
+  const multipleWithSameIdResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: `
+      {
+        "auth.oauth.providers.duplicate": {
+            "type":"google",
+            "isShared":false,
+            "clientId":"google-client-id",
+            "clientSecret":"google-client-secret",
+            "allowSignIn":true,
+            "allowConnectedAccounts":true
+        },
+        "auth.oauth.providers.duplicate": {
+            "type":"google",
+            "isShared":false,
+            "clientId":"google-client-id",
+            "clientSecret":"google-client-secret",
+            "allowSignIn":true,
+            "allowConnectedAccounts":true
+        },
+      }`,
+    },
+  });
+
+  expect(multipleWithSameIdResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": "Invalid config JSON",
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
+
+it("returns an error when the oauth config is misconfigured", async ({ expect }) => {
+  const { adminAccessToken } = await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+
+  // Test invalid OAuth provider type
+  const invalidTypeResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'auth.oauth.providers.invalid': {
+          type: 'invalid-provider',
+          isShared: false,
+          clientId: 'test-client-id',
+          clientSecret: 'test-client-secret',
+          allowSignIn: true,
+          allowConnectedAccounts: true,
+        },
+      }),
+    },
+  });
+
+  expect(invalidTypeResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": "[ERROR] auth.oauth.providers.invalid.type must be one of the following values: google, github, microsoft, spotify, facebook, discord, gitlab, bitbucket, linkedin, apple, x, twitch",
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
+
+it("returns an error when config override contains non-existent fields", async ({ expect }) => {
+  const { adminAccessToken } = await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+
+  // Test non-existent top-level field
+  const invalidTopLevelResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'nonExistentField': 'some-value',
+      }),
+    },
+  });
+
+  expect(invalidTopLevelResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": "[ERROR] The key \\"nonExistentField\\" is not valid for the schema.",
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
+
+it("adds, updates, and removes domains", async ({ expect }) => {
+  const { adminAccessToken } = await Project.createAndSwitch({
+    config: {
+      magic_link_enabled: true,
+    }
+  });
+
+  // Get initial config to verify no trusted domains exist
+  const initialResponse = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  expect(initialResponse.status).toBe(200);
+  const initialConfig = JSON.parse(initialResponse.body.config_string);
+  expect(initialConfig.domains.trustedDomains).toEqual({});
+
+  // Add a first trusted domain
+  const addFirstDomainResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'domains.trustedDomains.domain-1': {
+          baseUrl: 'https://example.com',
+          handlerPath: '/auth/handler',
+        },
+      }),
+    },
+  });
+
+  expect(addFirstDomainResponse.status).toBe(200);
+
+  const configResponse = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  const configWithFirstDomain = JSON.parse(configResponse.body.config_string);
+  expect(configWithFirstDomain.domains.trustedDomains['domain-1']).toEqual({
+    baseUrl: 'https://example.com',
+    handlerPath: '/auth/handler',
+  });
+
+  // Add a second trusted domain
+  const addSecondDomainResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'domains.trustedDomains.domain-2': {
+          baseUrl: 'https://app.example.com',
+          handlerPath: '/handler',
+        },
+      }),
+    },
+  });
+
+  expect(addSecondDomainResponse.status).toBe(200);
+
+  const configResponse2 = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+  const configWithBothDomains = JSON.parse(configResponse2.body.config_string);
+  expect(configWithBothDomains.domains.trustedDomains['domain-1']).toBeDefined();
+  expect(configWithBothDomains.domains.trustedDomains['domain-2']).toEqual({
+    baseUrl: 'https://app.example.com',
+    handlerPath: '/handler',
+  });
+
+  // Update the first domain
+  const updateFirstDomainResponse = await niceBackendFetch("/api/v1/internal/config/override", {
+    method: "PATCH",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+    body: {
+      config_override_string: JSON.stringify({
+        'domains.trustedDomains.domain-1': {
+          baseUrl: 'https://updated.example.com',
+          handlerPath: '/new-handler',
+        },
+      }),
+    },
+  });
+
+  expect(updateFirstDomainResponse.status).toBe(200);
+
+  const configResponse3 = await niceBackendFetch("/api/v1/internal/config", {
+    method: "GET",
+    accessType: "admin",
+    headers: {
+      'x-stack-admin-access-token': adminAccessToken,
+    },
+  });
+
+  const configWithUpdatedDomain = JSON.parse(configResponse3.body.config_string);
+  expect(configWithUpdatedDomain.domains.trustedDomains['domain-1']).toEqual({
+    baseUrl: 'https://updated.example.com',
+    handlerPath: '/new-handler',
+  });
+  // Second domain should still be there
+  expect(configWithUpdatedDomain.domains.trustedDomains['domain-2']).toBeDefined();
+});
diff --git a/apps/e2e/tests/js/config.test.ts b/apps/e2e/tests/js/config.test.ts
new file mode 100644
index 000000000..6f6649fe7
--- /dev/null
+++ b/apps/e2e/tests/js/config.test.ts
@@ -0,0 +1,64 @@
+import { pick } from "@stackframe/stack-shared/dist/utils/objects";
+import { it } from "../helpers";
+import { createApp } from "./js-helpers";
+
+it("gets config", async ({ expect }) => {
+  const { adminApp } = await createApp();
+  const project = await adminApp.getProject();
+  const config = await project.getConfig();
+  expect(pick(config, ["auth", "users", "teams"])).toMatchInlineSnapshot(`
+    {
+      "auth": {
+        "allowSignUp": true,
+        "oauth": {
+          "accountMergeStrategy": "link_method",
+          "providers": {},
+        },
+        "otp": { "allowSignIn": false },
+        "passkey": { "allowSignIn": false },
+        "password": { "allowSignIn": true },
+      },
+      "teams": {
+        "allowClientTeamCreation": false,
+        "createPersonalTeamOnSignUp": false,
+      },
+      "users": { "allowClientUserDeletion": false },
+    }
+  `);
+});
+
+it("updates config", async ({ expect }) => {
+  const { adminApp } = await createApp();
+  const project = await adminApp.getProject();
+  const config = await project.getConfig();
+  expect(config['auth']).toMatchInlineSnapshot(`
+    {
+      "allowSignUp": true,
+      "oauth": {
+        "accountMergeStrategy": "link_method",
+        "providers": {},
+      },
+      "otp": { "allowSignIn": false },
+      "passkey": { "allowSignIn": false },
+      "password": { "allowSignIn": true },
+    }
+  `);
+
+  await project.updateConfig({
+    'auth.allowSignUp': false,
+  });
+
+  const config2 = await project.getConfig();
+  expect(config2['auth']).toMatchInlineSnapshot(`
+    {
+      "allowSignUp": false,
+      "oauth": {
+        "accountMergeStrategy": "link_method",
+        "providers": {},
+      },
+      "otp": { "allowSignIn": false },
+      "passkey": { "allowSignIn": false },
+      "password": { "allowSignIn": true },
+    }
+  `);
+});
diff --git a/packages/stack-shared/src/interface/admin-interface.ts b/packages/stack-shared/src/interface/admin-interface.ts
index 464c230b1..04778faf2 100644
--- a/packages/stack-shared/src/interface/admin-interface.ts
+++ b/packages/stack-shared/src/interface/admin-interface.ts
@@ -1,4 +1,5 @@
 import { InternalSession } from "../sessions";
+import { ConfigCrud, ConfigOverrideCrud } from "./crud/config";
 import { InternalEmailsCrud } from "./crud/emails";
 import { InternalApiKeysCrud } from "./crud/internal-api-keys";
 import { ProjectPermissionDefinitionsCrud } from "./crud/project-permissions";
@@ -443,6 +444,29 @@ export class StackAdminInterface extends StackServerInterface {
     return await response.json();
   }
 
+  async getConfig(): Promise<ConfigCrud["Admin"]["Read"]> {
+    const response = await this.sendAdminRequest(
+      `/internal/config`,
+      { method: "GET" },
+      null,
+    );
+    return await response.json();
+  }
+
+  async updateConfig(data: { configOverride: any }): Promise<ConfigOverrideCrud["Admin"]["Read"]> {
+    const response = await this.sendAdminRequest(
+      `/internal/config/override`,
+      {
+        method: "PATCH",
+        headers: {
+          "content-type": "application/json",
+        },
+        body: JSON.stringify({ config_override_string: JSON.stringify(data.configOverride) }),
+      },
+      null,
+    );
+    return await response.json();
+  }
   async createEmailTemplate(displayName: string): Promise<{ id: string }> {
     const response = await this.sendAdminRequest(
       `/internal/email-templates`,
@@ -459,5 +483,4 @@ export class StackAdminInterface extends StackServerInterface {
     );
     return await response.json();
   }
-
 }
diff --git a/packages/stack-shared/src/interface/crud/config.ts b/packages/stack-shared/src/interface/crud/config.ts
new file mode 100644
index 000000000..d1af15e25
--- /dev/null
+++ b/packages/stack-shared/src/interface/crud/config.ts
@@ -0,0 +1,38 @@
+import { CrudTypeOf, createCrud } from "../../crud";
+import * as schemaFields from "../../schema-fields";
+import { yupObject } from "../../schema-fields";
+
+export const configOverrideCrudAdminReadSchema = yupObject({}).defined();
+
+export const configOverrideCrudAdminUpdateSchema = yupObject({
+  config_override_string: schemaFields.yupString().optional(),
+}).defined();
+
+export const configOverrideCrud = createCrud({
+  adminReadSchema: configOverrideCrudAdminReadSchema,
+  adminUpdateSchema: configOverrideCrudAdminUpdateSchema,
+  docs: {
+    adminUpdate: {
+      summary: 'Update the config',
+      description: 'Update the config for a project and branch with an override',
+      tags: ['Config'],
+    },
+  },
+});
+export type ConfigOverrideCrud = CrudTypeOf<typeof configOverrideCrud>;
+
+export const configCrudAdminReadSchema = yupObject({
+  config_string: schemaFields.yupString().defined(),
+}).defined();
+
+export const configCrud = createCrud({
+  adminReadSchema: configCrudAdminReadSchema,
+  docs: {
+    adminRead: {
+      summary: 'Get the config',
+      description: 'Get the config for a project and branch',
+      tags: ['Config'],
+    },
+  },
+});
+export type ConfigCrud = CrudTypeOf<typeof configCrud>;
diff --git a/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts
index a0be1e981..0c4317841 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts
@@ -18,7 +18,9 @@ import { StackAdminApp, StackAdminAppConstructorOptions } from "../interfaces/ad
 import { clientVersion, createCache, getBaseUrl, getDefaultProjectId, getDefaultPublishableClientKey, getDefaultSecretServerKey, getDefaultSuperSecretAdminKey } from "./common";
 import { _StackServerAppImplIncomplete } from "./server-app-impl";
 
+import { EnvironmentConfigOverrideOverride, OrganizationRenderedConfig } from "@stackframe/stack-shared/dist/config/schema";
 import { ChatContent } from "@stackframe/stack-shared/dist/interface/admin-interface";
+import { ConfigCrud } from "@stackframe/stack-shared/dist/interface/crud/config";
 import { useAsyncCache } from "./common"; // THIS_LINE_PLATFORM react-like
 
 export class _StackAdminAppImplIncomplete<HasTokenStore extends boolean, ProjectId extends string> extends _StackServerAppImplIncomplete<HasTokenStore, ProjectId> implements StackAdminApp<HasTokenStore, ProjectId>
@@ -56,6 +58,9 @@ export class _StackAdminAppImplIncomplete<HasTokenStore extends boolean, Project
   private readonly _emailPreviewCache = createCache(async ([themeId, themeTsxSource, templateId, templateTsxSource]: [string | null | false | undefined, string | undefined, string | undefined, string | undefined]) => {
     return await this._interface.renderEmailPreview({ themeId, themeTsxSource, templateId, templateTsxSource });
   });
+  private readonly _configOverridesCache = createCache(async () => {
+    return await this._interface.getConfig();
+  });
 
   constructor(options: StackAdminAppConstructorOptions<HasTokenStore, ProjectId>) {
     super({
@@ -82,6 +87,10 @@ export class _StackAdminAppImplIncomplete<HasTokenStore extends boolean, Project
     });
   }
 
+  _adminConfigFromCrud(data: ConfigCrud['Admin']['Read']): OrganizationRenderedConfig {
+    return JSON.parse(data.config_string);
+  }
+
   _adminOwnedProjectFromCrud(data: ProjectsCrud['Admin']['Read'], onRefresh: () => Promise<void>): AdminOwnedProject {
     if (this._tokenStoreInit !== null) {
       throw new StackAssertionError("Owned apps must always have tokenStore === null — did you not create this project with app._createOwnedApp()?");
@@ -147,9 +156,21 @@ export class _StackAdminAppImplIncomplete<HasTokenStore extends boolean, Project
         teamMemberDefaultPermissions: data.config.team_member_default_permissions,
         userDefaultPermissions: data.config.user_default_permissions,
       },
-
+      async getConfig() {
+        return app._adminConfigFromCrud(await app._interface.getConfig());
+      },
+      // IF_PLATFORM react-like
+      useConfig() {
+        const config = useAsyncCache(app._configOverridesCache, [], "useConfig()");
+        return useMemo(() => app._adminConfigFromCrud(config), [config]);
+      },
+      // END_PLATFORM
+      async updateConfig(configOverride: EnvironmentConfigOverrideOverride) {
+        await app._interface.updateConfig({ configOverride });
+      },
       async update(update: AdminProjectUpdateOptions) {
-        await app._interface.updateProject(adminProjectUpdateOptionsToCrud(update));
+        const updateOptions = adminProjectUpdateOptionsToCrud(update);
+        await app._interface.updateProject(updateOptions);
         await onRefresh();
       },
       async delete() {
@@ -158,9 +179,11 @@ export class _StackAdminAppImplIncomplete<HasTokenStore extends boolean, Project
       async getProductionModeErrors() {
         return getProductionModeErrors(data);
       },
+      // IF_PLATFORM react-like
       useProductionModeErrors() {
         return getProductionModeErrors(data);
       },
+      // END_PLATFORM
     };
   }
 
diff --git a/packages/template/src/lib/stack-app/projects/index.ts b/packages/template/src/lib/stack-app/projects/index.ts
index d8ea35baf..3042b5e05 100644
--- a/packages/template/src/lib/stack-app/projects/index.ts
+++ b/packages/template/src/lib/stack-app/projects/index.ts
@@ -1,6 +1,7 @@
 import { ProductionModeError } from "@stackframe/stack-shared/dist/helpers/production-mode";
 import { AdminUserProjectsCrud, ProjectsCrud } from "@stackframe/stack-shared/dist/interface/crud/projects";
 
+import { EnvironmentConfigOverrideOverride, OrganizationRenderedConfig } from "@stackframe/stack-shared/dist/config/schema";
 import { StackAdminApp } from "../apps/interfaces/admin-app";
 import { AdminProjectConfig, AdminProjectConfigUpdateOptions, ProjectConfig } from "../project-configs";
 
@@ -22,7 +23,13 @@ export type AdminProject = {
   update(this: AdminProject, update: AdminProjectUpdateOptions): Promise<void>,
   delete(this: AdminProject): Promise<void>,
 
+  getConfig(this: AdminProject): Promise<OrganizationRenderedConfig>,
+  // NEXT_LINE_PLATFORM react-like
+  useConfig(this: AdminProject): OrganizationRenderedConfig,
+  updateConfig(this: AdminProject, config: EnvironmentConfigOverrideOverride): Promise<void>,
+
   getProductionModeErrors(this: AdminProject): Promise<ProductionModeError[]>,
+  // NEXT_LINE_PLATFORM react-like
   useProductionModeErrors(this: AdminProject): ProductionModeError[],
 } & Project;