Skip to content

Authentication

How to authenticate requests and authorize them, whichever transport the caller uses. Every transport resolves to the same Principal, so your authorization code never depends on how the request arrived.

  • Protecting routes

    Gate endpoints with current_user() and its keyword guards (superuser, scopes, verified, and custom checks).

    Protecting routes →

  • Sessions

    Cookie auth, CSRF, remember-me, multi-device management, and the session lifecycle.

    Sessions →

  • Bearer tokens

    JWT access and refresh tokens, scopes, and revocation.

    Bearer tokens →

  • Multiple transports

    Run sessions and bearer together behind one Principal.

    Multiple transports

  • OAuth

    Google, GitHub, and custom providers.

    OAuth →

  • Sudo mode

    Short-lived re-authentication for sensitive actions.

    Sudo mode →

Where to start

Not sure which to read first?

New to CRUDAuth? Protecting routes covers the one dependency you'll use everywhere.

Browser app? Sessions is the default and needs no configuration.

API, mobile, or CLI? Bearer tokens.

Supporting both at once? Multiple transports.

Adding social login? OAuth. Gating destructive actions? Sudo mode.

Start with Protecting routes →