Rheo documentation
Developer Guide

Authentication layers

OAuth and email-password layers in flows, host handlers, terminal redaction, and canvas editor gates.

Purpose

Rheo flows can include OAuth login and email/password authentication layers. The dashboard authors the UI chrome; your host app runs the actual sign-in or sign-up against your identity provider. Rheo never stores OAuth tokens or passwords — they are handled only in host callbacks and are omitted from terminal snapshots and analytics field maps.

Mental model

LayerWho runs authWhat Rheo records
OAuth loginHost via OAuth handlerSuccess/failure advances the flow; auth field keys omitted from answers
Email/password authHost via email/password handler (optional)Validated email/password never sent to Rheo
Standalone email/password field or submitHost or auto-advance in previewSame redaction rules

One screen may contain at most one auth block (OAuth or email/password) and cannot mix auth with other input layers on the same screen.

How to — React Native

Wrap your flow tree with providers and attach handlers:

import {
  OAuthLoginProvider,
  EmailPasswordAuthProvider,
  Flow,
} from '@getrheo/react-native-expo';

<OAuthLoginProvider
  respond={flow.respond}
  handler={(payload) => {
    // payload.provider — google, apple, custom, etc.
    // payload.resolve({ success: true }) or { success: false, error }
    signInWithProvider(payload.provider).then(
      () => payload.resolve({ success: true }),
      (err) => payload.resolve({ success: false, error: err }),
    );
  }}
>
  <EmailPasswordAuthProvider respond={flow.respond}>
    <Flow channelId="ch_test_…" />
  </EmailPasswordAuthProvider>
</OAuthLoginProvider>

For email/password, attach a handler on EmailPasswordAuthProvider. When no handler is attached, client-side validation auto-responds with success: true so builder preview and tests advance without a backend.

How to — SwiftUI (coming soon)

How to — Flutter (coming soon)

Terminal payload redaction

onFlowCompleted / onFlowAbandoned receive a FlowTerminalSnapshot:

  • answers — normalized field-key map for inputs, checkboxes, and permission keys. Keys tied to OAuth or email-password auth are omitted; use your auth callbacks for identity outcomes.
  • answersDetail (optional) — raw step responses with the same auth keys stripped when includeAnswerDetailInTerminalPayload is true.
  • traits — merged SDK attributes + attribution at terminal time (not auth secrets).

OAuth failure without screen advance does not emit step completion analytics for that screen.

Canvas editor gates

Per-app toggles under App settings → Canvas controls disable layer families in the builder and block publish when violated.

Dashboard: App settings → Canvas controls — toggles for OAuth and email/password layer families.

GateControls
OAuth loginOAuth login blocks
OAuth provider presetPreset provider buttons inside OAuth login
OAuth provider customCustom provider buttons
Email/password authComposite email/password blocks
Email/password fieldStandalone field layers
Email/password submitStandalone submit layers

Plan entitlements may further restrict advanced layers on Indie; gates are app-scoped overrides on top of plan defaults.

Limits and permissions

  • Never embed identity provider secrets in the manifest or SDK config.
  • Auth layers require host implementation — Rheo does not ship Clerk/Firebase/Auth0 adapters in the core SDK.
  • Dashboard Authentication settings describe workspace sign-in; this page covers end-user auth inside flows.