Authentication You Don't Build

Production-ready OAuth2/OIDC and WebAuthn authentication. Stop building login flows. Start shipping AI products.

On this page

Every AI product needs authentication. Without SystemPrompt, you're building OAuth2 flows, session management, token refresh, and passwordless login from scratch. That's weeks of work before you ship a single AI feature.

The Problem

Building authentication for AI products is harder than traditional apps:

  • Multiple auth flows: Your users need to authenticate. Your AI agents need to authenticate. Your MCP tools need to authenticate.
  • Token management: Access tokens, refresh tokens, scopes, expiration, rotation.
  • Security requirements: PKCE, state parameters, nonce validation, secure cookie handling.
  • User experience: Passwordless options, social login, session persistence.

Most teams spend 2-4 weeks building auth. Then another 2-4 weeks fixing the security issues they introduced.

The Solution

SystemPrompt provides production-ready authentication out of the box:

OAuth2/OIDC

Full OAuth2 authorization server with OpenID Connect:

# services/oauth/config.yaml
oauth:
  issuer: "https://yourdomain.com"
  token_expiry: 3600
  refresh_expiry: 604800
  scopes:
    - read
    - write
    - admin
  • Authorization code flow with PKCE
  • Client credentials for service-to-service
  • Token introspection and revocation
  • Standard OIDC discovery endpoints

WebAuthn Passwordless

Modern passwordless authentication:

# services/auth/config.yaml
webauthn:
  enabled: true
  rp_name: "Your App"
  rp_id: "yourdomain.com"
  • Passkey support (Face ID, Touch ID, Windows Hello)
  • Hardware security keys (YubiKey)
  • Cross-device authentication
  • Phishing-resistant by design

Session Management

Secure session handling with zero configuration:

  • HTTP-only secure cookies
  • CSRF protection
  • Session rotation on privilege escalation
  • Automatic expiration and cleanup

Why This Matters for AI Products

Agent Authentication

Your AI agents need to call APIs on behalf of users. SystemPrompt handles the OAuth2 flows so agents operate with scoped permissions:

# services/agents/assistant.yaml
security:
  oauth2:
    scopes: ["read:content", "write:content"]

The agent can only access what the user authorized. No credential sharing. No privilege escalation.

MCP Tool Authentication

Every MCP tool call is authenticated:

# services/mcp/content-server.yaml
oauth:
  required: true
  scopes: ["content:read"]

When Claude Code or ChatGPT calls your MCP server, the request includes a valid OAuth2 token. You know who's calling and what they're allowed to do.

Multi-Tenant Security

Authentication is tenant-aware from day one:

  • Users belong to tenants
  • Tokens are scoped to tenants
  • Cross-tenant access is impossible by default

What You Skip

Without SystemPrompt With SystemPrompt
2-4 weeks building OAuth2 Already done
Security audit findings Battle-tested implementation
Token refresh bugs Handled automatically
Session hijacking risks Secure by default
WebAuthn complexity One config file

Getting Started

Authentication works out of the box. To customize:

# View current auth config
systemprompt admin config show oauth

# Update settings
systemprompt admin config edit oauth

See the OAuth2 Reference for detailed configuration options.