**Authentication** answers a single question: _who is this request coming from?_ Authdog handles the entire flow — presenting a sign-in experience, verifying credentials against one or more identity sources, and issuing a session your app can trust on every subsequent request.

This page explains the model. If you just want to wire sign-in into an app, start with [Sign up & sign in](/docs/authentication) or a [quickstart](/docs/quickstarts).

## The mental model

Authdog sits between your application and the identity sources your users authenticate with. A user proves who they are **once** — with a password, a social account, a magic link, or a corporate IdP — and Authdog turns that proof into a **session**. Your application never handles raw credentials; it only ever validates the session Authdog issued.

<div class="mmodel">
  <div class="mmodel__row">
    <div class="mmodel__node mmodel__node--user">
      <span class="mmodel__eyebrow">Your user</span>
      <span class="mmodel__title">Proves identity once</span>
      <div class="mmodel__chips">
        <span>Password</span>
        <span>Social</span>
        <span>Magic link</span>
        <span>SSO / IdP</span>
      </div>
    </div>
    <div class="mmodel__arrow" aria-hidden="true">
      <svg viewBox="0 0 44 16" fill="none"><path d="M2 8h36" stroke="currentColor" stroke-width="1.6" stroke-linecap="round"/><path d="M32 3l6 5-6 5" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/></svg>
    </div>
    <div class="mmodel__node mmodel__node--core">
      <span class="mmodel__eyebrow">Authdog · identity</span>
      <span class="mmodel__title">Turns proof into a session</span>
      <ol class="mmodel__steps">
        <li>Verifies the credential</li>
        <li>Upserts the user record</li>
        <li>Issues a signed session <span class="mmodel__hint">JWT + cookie</span></li>
      </ol>
    </div>
    <div class="mmodel__arrow" aria-hidden="true">
      <svg viewBox="0 0 44 16" fill="none"><path d="M2 8h36" stroke="currentColor" stroke-width="1.6" stroke-linecap="round"/><path d="M32 3l6 5-6 5" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/></svg>
    </div>
    <div class="mmodel__node mmodel__node--app">
      <span class="mmodel__eyebrow">Your app</span>
      <span class="mmodel__title">Trusts the session</span>
      <p class="mmodel__note">Validates it on every request. Raw credentials never reach your code.</p>
    </div>
  </div>
</div>

Everything that follows sign-in — [authorization](/docs/concepts/authorization), [organizations](/docs/organizations), [provisioning](/docs/concepts/provisioning) — keys off the identity established here.

## Ways users can authenticate

A single Authdog environment can enable any mix of these methods:

- **Password** — classic email + password with secure hashing and breach-aware policies.
- **Social / OAuth2** — sign in with Google, GitHub, Microsoft, Apple, and dozens more providers. See the [OAuth provider catalog](/docs/integrations).
- **Passwordless & magic links** — email a one-time link or code instead of a password.
- **Enterprise SSO** — federate to a customer's own IdP over **SAML 2.0** or **OIDC**. Okta, Microsoft Entra ID, JumpCloud, Ping Identity, and BeyondTrust are first-class, alongside generic SAML and OIDC connectors.
- **Multi-factor (MFA)** — layer TOTP or another second factor on top of any primary method.

Which methods appear on the sign-in screen is per-environment configuration, so staging and production can differ without code changes.

## Enterprise SSO and domain routing

Enterprise customers bring their own identity provider. In Authdog each customer IdP is a **connection** on your environment, configured with the provider's metadata (SAML entity/ACS URLs or an OIDC discovery document).

To route users to the right connection automatically, Authdog matches the **email domain** they enter. Given an email, the discovery endpoint resolves which connection (if any) should handle it:

```http
GET /api/v1/sso/discover?environmentId=<env>&email=jane@acme.com
// -> { "connectionId": "...", "providerId": "okta", "signinUrl": "https://identity.authdog.com/..." }
```

This is what powers "we'll redirect you to your company login" behavior without hardcoding anything per customer.

## What a successful sign-in produces

When a credential checks out, Authdog:

1. **Upserts the user** into the environment's user store, linking the identity to any existing account with the same verified email.
2. **Issues a session** — a signed JWT delivered as the `authdog-session` cookie (and readable as a bearer token for API clients).
3. **Emits events** (`user.signed_in`, `user.created`, …) that flow to your [webhooks and integrations](/docs/integrations).

From here your backend simply **validates** the session on each request — it never re-checks the original credential. That validation model is covered in [Sessions & tokens](/docs/concepts/sessions-tokens).

## Machine-to-machine authentication

Not every caller is a human. For service-to-service calls, an [M2M application](/docs/integrations) uses the OAuth2 **client credentials** grant: it exchanges a client ID and secret for an access token, with no interactive sign-in and no session cookie. Same identity platform, no browser involved.

## Where authentication is configured

- **Sign-in methods, social providers, and MFA** — per environment in the console.
- **Enterprise SSO connections** — under an environment's connections, or delegated to customers via the admin portal.
- **The hosted experience** — the [Account portal](/docs/account-portal) renders sign-in, sign-up, and MFA screens for you; or build your own with [custom flows](/docs/custom-flows) and the [component reference](/docs/components).

## Related

- [Sessions & tokens](/docs/concepts/sessions-tokens) — how the issued session is validated
- [Authorization](/docs/concepts/authorization) — what an authenticated user is allowed to do
- [Provisioning](/docs/concepts/provisioning) — how enterprise users are created before they ever sign in
