# Authentication Decide whether your app has users — and if so, how they sign in. Turn it on and your app gets login, registration, accounts, and an API, with no auth code to write. ## Configure ### 1. Do you need users? | Choice | What happens | |---|---| | **No users** | Your app has no login. Good for API services, MCP tool servers, webhook relays. | | **Users on** | Your app gets login, registration, accounts, sessions, and API keys. | ### 2. Pick a sign-in method | Method | When | |---|---| | **Built-in (Cognito)** | The default. Fully managed — nothing to set up. | | **Auth0** | Enterprise needs. *(Advanced — coming soon.)* | | **None** | No login at all. | ### 3. Email verification Choose whether new users must verify their email, and configure the verification settings. ### Your app is also an OAuth provider Every app with users is a full OAuth 2.0 provider. Other apps, bots, and services can authenticate *against* your app — so an API service or chatbot plugin can simply hand out tokens, no UI required. Users can also generate **API keys** for programmatic access, which respect the same roles and scopes. ## Use in your app Foundation runs the auth flow; your frontend calls the SDK. Use the built-in login and registration components, or build your own screens. **Tell your agent:** "Add sign-in and registration using Foundation auth, and send people to the dashboard once they're logged in." ```ts // sign in const result = await foundation.auth.signIn(email, password) if (result.isSignedIn) router.push('/dashboard') // who's logged in foundation.auth.user foundation.auth.isAuthenticated // react to auth changes foundation.auth.onChange(() => refreshUI()) // sign out await foundation.auth.logout() ``` On a hosted-login callback route, call `foundation.auth.handleCallback()`. ## Reference - SDK auth methods: `signIn`, `signUp`, `handleCallback`, `onChange`, `getToken`, … — see the [SDK reference](/api/sdk) - [Authentication API](/api/authentication) - [Roles & Scopes](/platform/roles) — who can do what