GKit

Accounts & single sign-on

How GKit's one-account model and cross-subdomain single sign-on work.

One Google account for everything

When you sign in to GKit, a secure session cookie is set on the .gkit.mreshank.com parent domain. Because every product lives on a subdomain of that — sheetsapi.gkit.mreshank.com, and others to come — they all read the same session automatically.

What this means for you

  • Sign in once. Opening any product just works.
  • One identity. Every product sees the same GKitUser — your Google id, email, name, and avatar.
  • Revoke once. Sign out and the session clears everywhere.

Security

  • Tokens are encrypted at rest.
  • Cookies are httpOnly, secure, and sameSite=lax.
  • Each product only accesses the Google scopes you approved.

Next: SheetsAPI authentication.