npx pdh init fetches default OAuth credentials and writes them into hub-config.yaml automatically. PersonalDataHub uses PKCE (Proof Key for Code Exchange) for secure authorization. No additional configuration needed — just click "Connect Gmail" or "Connect GitHub" in the PersonalDataHub GUI.
How it works:
- PersonalDataHub generates a cryptographic code verifier and challenge (PKCE S256)
- Redirects you to Google/GitHub to authorize
- Exchanges the authorization code + code verifier for tokens locally
- Tokens are stored encrypted on your machine — they never leave your device
Google Desktop app client secrets are not confidential by design. PKCE adds defense-in-depth against authorization code interception.
If you prefer to use your own OAuth app credentials (e.g., for branding, higher rate limits, or organizational policies), you can provide them in hub-config.yaml. When custom credentials are present, PersonalDataHub uses them instead of the defaults. PKCE is always applied regardless.
- Go to Google Cloud Console
- Create a new project (or select an existing one)
- Go to APIs & Services > Library
- Search for Gmail API and click Enable
- Go to APIs & Services > OAuth consent screen
- Choose External (or Internal if using Google Workspace)
- Fill in:
- App name: e.g.
PersonalDataHub - User support email: your email
- App name: e.g.
- Add scopes:
gmail.readonlyandgmail.compose - Add yourself as a test user (required while app is in "Testing" status)
- Go to APIs & Services > Credentials
- Click Create Credentials > OAuth client ID
- Application type: Desktop app or Web application (both work)
Desktop app (simpler):
- No redirect URI configuration needed — Google auto-allows loopback redirects
- Google still provides a Client Secret (find it in the downloaded JSON or by clicking the credential)
Web application (if you prefer):
- Add this as an Authorized redirect URI:
(Replace
http://127.0.0.1:3000/oauth/gmail/callback3000with your configured port if different)
- Add your credentials to
hub-config.yamlundersources.gmail:
sources:
gmail:
enabled: true
owner_auth:
type: oauth2
clientId: "your-client-id.apps.googleusercontent.com"
clientSecret: "your-client-secret"- Go to GitHub Settings > Developer settings > GitHub Apps
- Click New GitHub App
- Fill in:
- App name:
PersonalDataHub(must be globally unique) - Homepage URL:
http://127.0.0.1:3000 - Callback URL:
http://127.0.0.1:3000/oauth/github/callback - Check Request user authorization (OAuth) during installation
- Uncheck Enable Device Flow (not needed)
- Uncheck Webhook > Active (not needed)
- App name:
Under Repository permissions:
- Contents: Read & write
- Metadata: Read-only
- Pull requests: Read & write
- Issues: Read-only
- Click Create GitHub App
- Note the Client ID (shown at top of the app page)
- Click Generate a new client secret — copy it immediately
Add your credentials to hub-config.yaml under sources.github:
sources:
github:
enabled: true
owner_auth:
type: github_app
clientId: "your-github-client-id"
clientSecret: "your-github-client-secret"| Source | Redirect URI |
|---|---|
| Gmail | <base_url>/oauth/gmail/callback |
| GitHub | <base_url>/oauth/github/callback |
Default base_url for local is http://127.0.0.1:3000 (configurable via deployment.base_url or port in hub-config.yaml).
Gmail Desktop app credentials do not require manual redirect URI configuration. GitHub Apps always require callback URLs to be set in the app settings.