Authentication Overview
HelloJohn supports email/password, OAuth (9 providers), magic links, passkeys, and MFA. Learn which auth method to use and how they work together.
HelloJohn handles all authentication methods through a single API. Your backend receives the same JWT regardless of how the user signed in.
Authentication methods
| Method | Use case | Setup |
|---|---|---|
| Email + Password | Standard login, all app types | Built-in, no external config |
| OAuth / Social Login | Google, GitHub, Apple, etc. | OAuth app credentials per provider |
| Magic Link | Passwordless via email | SMTP configuration |
| API Keys (M2M) | Server-to-server, automation | Generate from dashboard/CLI |
| SAML SSO ☁️ | Enterprise B2B | Cloud Enterprise plan |
| Passkeys (WebAuthn) | Second factor or primary | Built-in (browser support required) |
MFA methods
MFA can be required globally, per-tenant, per-org, or per-role:
| Method | Description |
|---|---|
| TOTP | Authenticator app (Google Authenticator, Authy, etc.) |
| WebAuthn / Passkeys | Hardware key or biometric |
| SMS OTP | One-time code via SMS |
| Email OTP | One-time code via email |
| Backup Codes | Recovery codes generated at enrollment |
See MFA →.
How auth flows work
Regardless of method, the auth flow ends the same way:
1. User authenticates (email/password, OAuth, magic link, etc.)
2. HelloJohn validates credentials
3. MFA is checked (if enabled)
4. HelloJohn issues access token (JWT) + refresh token
5. SDK stores tokens
6. Your backend receives the JWT in Authorization header
7. Your backend verifies JWT locally (no call to HelloJohn)Your backend never needs to call HelloJohn to verify a token — it verifies the JWT signature locally using the JWKS public key. See Token Verification →.
Choosing an auth method
Email + password is the right default for most applications. It works for all user types and requires no third-party dependencies.
OAuth / Social Login reduces friction (no password to remember) and is trusted by users. Add it alongside email/password — don't replace it.
Magic links are good for low-frequency applications (internal tools, dashboards) where users may not remember their password.
API keys are for machine-to-machine use: CLI tools, webhooks, CI/CD pipelines, backend services.
SAML SSO is for enterprise customers who need to use their company's identity provider (Okta, Azure AD, Ping). This is Cloud Enterprise only.
Sessions and tokens
Every successful authentication creates a session and issues two tokens:
- Access token — a short-lived JWT (15 minutes by default) for authorizing API requests
- Refresh token — a long-lived opaque token (30 days by default) for getting new access tokens silently
See Sessions → and Tokens & JWT →.
Security defaults
HelloJohn applies these security measures automatically:
| Measure | Default |
|---|---|
| Password hashing | Argon2id |
| Brute force protection | Rate limiting on auth endpoints |
| Token signing | EdDSA (Ed25519) |
| Refresh token rotation | Enabled (RT invalidated on use) |
| Session revocation | Server-side (immediate) |
| PKCE for OAuth | Required |
Next steps
Networking & Security
HelloJohn's network security model — rate limiting, CORS configuration, TLS requirements, security headers, and IP allowlisting.
Email + Password
Configure email and password authentication in HelloJohn — registration flow, password policy, login, password reset, and email verification.