Authentication establishes who is making a request. Authdog handles sign-in, verifies the result with the configured identity provider, and gives your app a session to validate.

To add sign-in to an app, see [Sign up & sign in](/docs/authentication) or choose a [quickstart](/docs/quickstarts).

## How it works

Your app sends the user to Authdog. Authdog completes the configured sign-in method and starts a session. On later requests, your app validates that session instead of handling the user's credentials.

<div class="mmodel mmodel--auth">
  <div class="mmodel__row">
    <div class="mmodel__node mmodel__node--user">
      <span class="mmodel__eyebrow">Your user</span>
      <span class="mmodel__title">Selects a sign-in method</span>
      <div class="mmodel__logos" aria-label="Sign-in methods">
        <span class="mmodel__logo" title="Google">
          <svg viewBox="0 0 24 24" aria-hidden="true"><path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"/><path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"/><path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"/><path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"/></svg>
        </span>
        <span class="mmodel__logo" title="GitHub">
          <svg viewBox="0 0 24 24" aria-hidden="true"><path fill="currentColor" d="M12 .3C5.4.3 0 5.7 0 12.3c0 5.3 3.4 9.8 8.2 11.4.6.1.8-.3.8-.6v-2c-3.3.7-4-1.6-4-1.6-.5-1.4-1.3-1.8-1.3-1.8-1.1-.7.1-.7.1-.7 1.2.1 1.8 1.2 1.8 1.2 1.1 1.8 2.8 1.3 3.5 1 .1-.8.4-1.3.8-1.6-2.7-.3-5.5-1.3-5.5-5.9 0-1.3.5-2.4 1.2-3.2-.1-.3-.5-1.5.1-3.2 0 0 1-.3 3.3 1.2 1-.3 2-.4 3-.4s2 .1 3 .4c2.3-1.5 3.3-1.2 3.3-1.2.6 1.7.2 2.9.1 3.2.8.8 1.2 1.9 1.2 3.2 0 4.6-2.8 5.6-5.5 5.9.4.4.8 1.1.8 2.2v3.3c0 .3.2.7.8.6C20.6 22.1 24 17.6 24 12.3 24 5.7 18.6.3 12 .3z"/></svg>
        </span>
        <span class="mmodel__logo" title="Microsoft">
          <svg viewBox="0 0 24 24" aria-hidden="true"><path fill="#F25022" d="M1 1h10v10H1z"/><path fill="#7FBA00" d="M13 1h10v10H13z"/><path fill="#00A4EF" d="M1 13h10v10H1z"/><path fill="#FFB900" d="M13 13h10v10H13z"/></svg>
        </span>
      </div>
    </div>
    <div class="mmodel__arrow" aria-hidden="true">
      <svg viewBox="0 0 48 20" fill="none"><path d="M2 10h34" stroke="currentColor" stroke-width="1.75" stroke-linecap="round"/><path d="M30 4l8 6-8 6" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"/></svg>
    </div>
    <div class="mmodel__node mmodel__node--core">
      <div class="mmodel__brand">
        <img class="mmodel__brand-logo mmodel__brand-logo--light" src="/logo-color.svg" alt="" width="22" height="22" />
        <img class="mmodel__brand-logo mmodel__brand-logo--dark" src="/logo-dark-square.svg" alt="" width="22" height="22" />
        <span class="mmodel__eyebrow">Authdog</span>
      </div>
      <span class="mmodel__title">Creates a trusted session</span>
      <div class="mmodel__steps" aria-label="Authdog steps">
        <span><b>1</b> Verify identity</span>
        <span><b>2</b> Create or link user</span>
        <span><b>3</b> Issue JWT and cookie</span>
      </div>
    </div>
    <div class="mmodel__arrow" aria-hidden="true">
      <svg viewBox="0 0 48 20" fill="none"><path d="M2 10h34" stroke="currentColor" stroke-width="1.75" stroke-linecap="round"/><path d="M30 4l8 6-8 6" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"/></svg>
    </div>
    <div class="mmodel__node mmodel__node--app">
      <span class="mmodel__eyebrow">Your app</span>
      <span class="mmodel__title">Validates the session</span>
      <div class="mmodel__logos" aria-label="App frameworks">
        <span class="mmodel__logo" title="Next.js">
          <img src="/logos/frameworks/nextdotjs.svg" alt="" width="20" height="20" />
        </span>
        <span class="mmodel__logo" title="React">
          <img src="/logos/frameworks/react.svg" alt="" width="20" height="20" />
        </span>
        <span class="mmodel__logo" title="Vue">
          <img src="/logos/frameworks/vuedotjs.svg" alt="" width="20" height="20" />
        </span>
      </div>
      <p class="mmodel__caption">No passwords in your app</p>
    </div>
  </div>
</div>

The resulting user identity is available to [authorization](/docs/concepts/authorization), [organizations](/docs/concepts/organizations), and [provisioning](/docs/concepts/provisioning).

## Sign-in methods

Enable one or more methods in each environment:

- **Password** — email and password.
- **Social login** — OAuth with providers such as Google, GitHub, Microsoft, and Apple. See [Integrations](/docs/integrations) for supported providers.
- **Magic link** — a one-time link or code sent by email.
- **Enterprise SSO** — SAML 2.0 or OIDC connections to customer identity providers.
- **Multi-factor authentication** — a second factor, such as TOTP, after primary sign-in.

Only methods enabled for the current environment appear on its sign-in screen. You can use different settings in development, staging, and production.

## Enterprise SSO and domain routing

Add each customer identity provider as a connection on your environment. A connection contains its SAML metadata or OIDC discovery settings.

Authdog can select a connection from the user's email domain. The discovery endpoint returns the matching connection and sign-in URL:

**Request**

```bash
curl --get "https://identity.authdog.com/api/v1/sso/discover" \
  --data-urlencode "environmentId=<env>" \
  --data-urlencode "email=jane@acme.com"
```

**Response**

```json
{
  "connectionId": "...",
  "providerId": "okta",
  "signinUrl": "https://identity.authdog.com/..."
}
```

Use this result to send enterprise users to their company sign-in page without adding customer-specific routing to your app.

## After sign-in

After Authdog accepts the sign-in result, it:

1. Creates the user, or links the identity to an existing user with the same verified email.
2. Issues a signed JWT session in the `authdog-session` cookie. API clients can use the token as a bearer token.
3. Sends events such as `user.signed_in` and `user.created` to configured [webhooks and integrations](/docs/integrations).

Your backend validates the session on each request; it does not check the original credential again. See [Sessions & tokens](/docs/concepts/sessions-tokens) for validation details.

## Machine-to-machine authentication

For service-to-service calls, an [M2M application](/docs/integrations) exchanges a client ID and secret for an access token using the OAuth 2.0 client credentials grant. This flow has no interactive sign-in or session cookie.

## Configuration

- Configure sign-in methods, social providers, and MFA on the environment.
- Add enterprise SSO connections to the environment, or let customers configure them through the admin portal.
- Use the hosted [Account portal](/docs/account-portal), or build the UI with [custom flows](/docs/custom-flows) and [components](/docs/components).

## Related

- [Sessions & tokens](/docs/concepts/sessions-tokens) — how the issued session is validated
- [Authorization](/docs/concepts/authorization) — what an authenticated user is allowed to do
- [Provisioning](/docs/concepts/provisioning) — how enterprise users are created before they ever sign in
