magiclabs · joshuascan · May 15, 2026 · May 7, 2026 · May 7, 2026 · May 8, 2026
@@ -1,5 +1,6 @@
 import { createPromiEvent, Extension } from '@magic-sdk/provider';
 import {
+  LoginWithGoogleIdTokenConfiguration,
   OAuthErrorData,
   OAuthRedirectError,
   OAuthRedirectResult,
@@ -46,6 +47,23 @@ export class OAuthExtension extends Extension.Internal<'oauth2'> {
     this.seamlessTelegramLogin();
   }
 
+  /**
+   * Verify a Google ID token (e.g. from Google One Tap / GSI) and complete a Magic login.
+   *
+   * Magic does not integrate GSI for you -- the customer owns script loading, prompt
+   * orchestration, FedCM state handling, etc. -- and forwards the resulting Google ID token
+   * to this method. Magic verifies the token (signature, issuer, audience) and issues a
+   * Magic DID token.
+   *
+   * The `googleClientId` must match the `client_id` the customer passed to GSI. Magic enforces
+   * strict audience verification against it to prevent acceptance of tokens minted for a
+   * different Google OAuth client.
+   */
+  public loginWithGoogleIdToken(configuration: LoginWithGoogleIdTokenConfiguration) {
+    const payload = this.utils.createJsonRpcRequestPayload(OAuthPayloadMethods.LoginWithGoogleIdToken, [configuration]);
+    return this.request<string>(payload);
+  }
+
   public loginWithRedirect(configuration: OAuthRedirectConfiguration) {
     return this.utils.createPromiEvent<null | string>(async (resolve, reject) => {
       // Steam uses OpenID 2.0 — no PKCE, no code exchange, no stored metadata.

@@ -6,6 +6,7 @@ export enum OAuthPayloadMethods {
   Popup = 'magic_oauth_login_with_popup',
   VerifyTelegramData = 'magic_oauth_verify_telegram_data',
   VerifySteamData = 'magic_oauth_verify_steam_data',
+  LoginWithGoogleIdToken = 'magic_auth_login_with_google_id_token',
 }
 
 export type OAuthProvider =
@@ -133,6 +134,24 @@ export interface OAuthPopupConfiguration {
   showMfaModal?: boolean;
 }
 
+export interface LoginWithGoogleIdTokenConfiguration {
+  /**
+   * The Google ID token (JWT) obtained from a customer-managed Google Identity Services
+   * integration (One Tap, Sign-In Button, programmatic). Magic does not load GSI itself.
+   */
+  jwt: string;
+  /**
+   * The Google Cloud OAuth client ID used to obtain the JWT. Required: Magic enforces strict
+   * audience verification against this value, preventing acceptance of Google JWTs minted
+   * for a different OAuth client.
+   */
+  googleClientId: string;
+  /**
+   * Optional lifespan (in seconds) for the resulting Magic DID token.
+   */
+  lifespan?: number;
+}
+
 export enum OAuthErrorCode {
   InvalidRequest = 'invalid_request',
   InvalidClient = 'invalid_client',