ServiceLogin
Last updated: July 3, 2026
ServiceLogin is the setting that lets a Space sign up and log in the end-users (ServiceUser) of its own product through OAuth. It is the entry point for attaching to your product an identity system that is separate from a Weegloo platform account (the Weegloo User who logs in to the content studio). A member who signs up through this setting receives ServiceLogin's default role (defaultRole), and that member's token authenticates against ACMA/ACDA.
A Space has at most one ServiceLogin. If you call create (POST) again when one already exists, WGL409003 (409 Conflict) is returned. That is why the read also fetches that single one with GET .../service-login, without a loginId (there is no list endpoint).
Resource structure
The following is the response for one ServiceLogin. Together with sys (system properties), it has the body properties that hold the service display info and sign-up behavior: name, callbackUrl, contactEmail, and approvalRequired.
{
"sys": {
"id": "3trmXRM3RqbgSnifyg7PSlgn01Ex",
"type": "ServiceLogin",
"space": { "sys": { "id": "HnQ32YiH", "type": "Refer", "targetType": "Space" } },
"defaultRole": { "sys": { "id": "3trmXRLXeZN2RTHvVj3hFDN5546vbp", "type": "Refer", "targetType": "ServiceUserRole" } },
"providers": [
{ "registrationId": "google", "clientId": "821047-dailywear.apps.googleusercontent.com" }
],
"createdBy": { "sys": { "id": "3p4tcFbQRwz503VXdtHXNI5dZH5TVB", "type": "Refer", "targetType": "User" } },
"createdAt": "2026-06-18T12:55:00.000Z",
"updatedBy": { "sys": { "id": "3p4tcFbQRwz503VXdtHXNI5dZH5TVB", "type": "Refer", "targetType": "User" } },
"updatedAt": "2026-06-18T12:55:00.000Z",
"version": 1
},
"name": "DailyWear membership",
"callbackUrl": "https://dailywear.example/auth/callback",
"contactEmail": "members@dailywear.example",
"approvalRequired": false
}Key properties:
defaultRole: TheReferto the ServiceUserRole that a newly signed-up member receives by default. When a member needs a different role, override it with the ServiceUser'sroleOverride.providers: The list of OAuth providers this service supports. Each item consists ofregistrationId,clientId, andclientSecret.clientSecretdoes not appear in the response.callbackUrl: The URL a member is sent to after finishing OAuth login. An exchange token (exchangeToken) comes back attached to this URL as a query string.approvalRequired: When turned on, a new member signs up with login disabled (enableLogin=false) and needs administrator approval.
System properties (sys)
Every ServiceLogin carries common system properties in the sys object. space, defaultRole, createdBy, and updatedBy are in the Refer shape ({ "sys": { "id", "type": "Refer", "targetType" } }).
| Property | Type | Description |
|---|---|---|
id | string | Unique resource identifier. |
type | string | Resource kind. For a ServiceLogin this is always "ServiceLogin". |
space | Refer<Space> | The Space this setting belongs to. |
defaultRole | Refer<ServiceUserRole> | The ServiceUserRole that a newly signed-up member receives by default. |
providers | Provider array | The list of supported OAuth providers. Response items do not include clientSecret. |
createdBy | Refer<User> | The Weegloo User who created this setting. |
createdAt | string (date-time) | Creation time. |
updatedBy | Refer<User> | The Weegloo User who last updated it. |
updatedAt | string (date-time) | Last update time. |
version | integer | The resource version. You put it in the X-Weegloo-Version header when updating. |
Because ServiceLogin is a setting resource, it has no publishing concept. There is no publish, archive, or status, only a version to prevent concurrent-update conflicts.
Body properties and providers
| Property | Type | Description |
|---|---|---|
name | string | The service display name. |
callbackUrl | string | The URL to go to after OAuth login completes. exchangeToken comes back attached to this URL as a query string. |
contactEmail | string | The contact email for the service administrator. |
approvalRequired | boolean | When true, a new member starts with enableLogin=false and needs administrator approval. The default is false. |
providers
providers is the list of OAuth providers this service supports. Each provider consists of these three values.
| Property | Type | Description |
|---|---|---|
registrationId | string | The OAuth provider identifier. Currently google, github, facebook, gitlab, kakao, naver, and line are supported. |
clientId | string | The client ID issued by that provider. |
clientSecret | string | The client secret issued by that provider. It is write-only, so it does not appear in the response. |
The registrationId values for which WEEGLOO currently has OAuth endpoints wired up are seven: google, github, facebook, gitlab, kakao, naver, and line. Login does not work with any other value.
You can put providers into the ServiceLogin create body together, or manage them separately with the provider add, update, and delete endpoints below. The ServiceLogin update (PUT) body has no providers, so you handle the providers of an already-created setting with the dedicated endpoints.
A ServiceLogin must always have at least one provider, and can have at most 10. On create, you must put at least one into providers. The last remaining provider cannot be deleted, and attempting to delete it returns WGL422055 (422). To remove all providers, delete the ServiceLogin itself.
Registering the redirect URI
When you create an OAuth app in each provider's console (Google, GitHub, Facebook, GitLab, Kakao, Naver, LINE), you must register the authorized redirect URI (redirect URI) with exactly the same value that WEEGLOO uses. If the value differs, login fails with redirect_uri mismatch.
The URI to register has this format.
https://auth.weegloo.com/v1/spaces/{spaceId}/login/oauth2/code/{registrationId}
{spaceId}: Thesys.idof the Space this ServiceLogin belongs to.{registrationId}: The provider identifier (google,github,facebook,gitlab,kakao,naver,line).
For example, to attach Google to the Space HnQ32YiH, you register https://auth.weegloo.com/v1/spaces/HnQ32YiH/login/oauth2/code/google.
API
The base URL for all endpoints below is https://cma.weegloo.com/v1, and a Bearer token that authenticates against CMA is required in the Authorization header. The update endpoints (PUT, PATCH) and the provider management endpoints must carry the current sys.version in the X-Weegloo-Version header to prevent concurrent-update conflicts. Create and ServiceLogin delete do not have this header. The read fetches that Space's single ServiceLogin without a loginId.
Related documents
- ServiceUserRole: The permission bundle to give via
defaultRole. - ServiceUser: A member who signed up through this setting.
- Auth API: The member OAuth login and token-exchange flow.
