stack/docs-mintlify/docs/getting-started/production.mdx

---
title: Production
description: Steps to prepare Stack for production use
sidebarTitle: Production
icon: "rocket"
---

# Production

Stack makes development easy with various default settings, but these settings need to be optimized for security and user experience when moving to production. Here's a checklist of things you need to do before switching to production mode:

## Domains

By default, Stack allows all localhost paths as valid callback URLs. This is convenient for development but poses a security risk in production because attackers could use their own domains as callback URLs to intercept sensitive information. Therefore, in production, Stack must know your domain (e.g., `https://your-website.com`) and only allow callbacks from those domains.

Follow these steps when you're ready to push your application to production:

<Steps>
  <Step title="Add Your Domain">
    Navigate to the `Domain & Handlers` tab in the Stack dashboard. If you haven't configured your handler, you can leave it as the default. (Learn more about handlers [here](../sdk/objects/stack-app)).
  </Step>
  <Step title="Disable Localhost Callbacks">
    For enhanced security, disable the `Allow all localhost callbacks for development` option.
  </Step>
</Steps>

## OAuth providers

Stack uses shared OAuth keys for development to simplify setup when using "Sign in with Google/GitHub/etc." However, this isn't secure for production as it displays "Stack Development" on the providers' consent screens, making it unclear to users if the OAuth request is genuinely from your site. Thus, you should configure your own OAuth keys with the providers and connect them to Stack.

To use your own OAuth provider setups in production, follow these steps for each provider you use:

<Steps>
  <Step title="Create an OAuth App">
    On the provider's website, create an OAuth app and set the callback URL to the corresponding Stack callback URL. Copy the client ID and client secret.

    <Tabs>
      <Tab title="Google">
        [Google OAuth Setup Guide](https://developers.google.com/identity/protocols/oauth2#1.-obtain-oauth-2.0-credentials-from-the-dynamic_data.setvar.console_name-.)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/google
        ```
      </Tab>
      <Tab title="GitHub">
        [GitHub OAuth Setup Guide](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/github
        ```
      </Tab>
      <Tab title="Facebook">
        [Facebook OAuth Setup Guide](https://developers.facebook.com/docs/development/create-an-app/facebook-login-use-case)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/facebook
        ```
      </Tab>
      <Tab title="Microsoft">
        [Microsoft Azure OAuth Setup Guide](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/microsoft
        ```
      </Tab>
      <Tab title="Spotify">
        [Spotify OAuth Setup Guide](https://developer.spotify.com/documentation/general/guides/app-settings/)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/spotify
        ```
      </Tab>
      <Tab title="Gitlab">
        [Gitlab OAuth Setup Guide](https://docs.gitlab.com/ee/integration/oauth_provider.html)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/gitlab
        ```
      </Tab>
      <Tab title="Bitbucket">
        [Bitbucket OAuth Setup Guide](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/bitbucket
        ```
      </Tab>
      <Tab title="LinkedIn">
        [LinkedIn OAuth Setup Guide](https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fcontext&tabs=HTTPS1)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/linkedin
        ```
      </Tab>
      <Tab title="X">
        [X OAuth Setup Guide](https://developer.x.com/en/docs/apps/overview)

        Callback URL:

        ```
        https://api.stack-auth.com/api/v1/auth/oauth/callback/x
        ```
      </Tab>
    </Tabs>
  </Step>
  <Step title="Enter OAuth Credentials">
    Go to the `Auth Methods` section in the Stack dashboard, open the provider's settings, switch from shared keys to custom keys, and enter the client ID and client secret.
  </Step>
</Steps>

## Email server

For development, Stack uses a shared email server, which sends emails from Stack's domain. This is not ideal for production as users may not trust emails from an unfamiliar domain. You should set up an email server connected to your own domain.

Steps to connect your own email server with Stack:

1. **Setup Email Server**: Configure your own email server and connect it to your domain (this step is beyond Stack's documentation scope).
2. **Configure Stack's Email Settings**: Navigate to the `Emails` section in the Stack dashboard, click `Edit` in the `Email Server` section, switch from `Shared` to `Custom SMTP server`, enter your SMTP configurations, and save.

## Enabling production mode

After completing the steps above, you can enable production mode on the `Project Settings` tab in the Stack dashboard, ensuring that your website runs securely with Stack in a production environment.