# Overview

Agent Auth is Scalekit's authentication solution that enables your applications to securely connect to third-party services on behalf of your users. It handles the complexity of OAuth flows, token management, and multi-provider authentication for popular business applications like Gmail, Slack, Jira, and more.

## What is Agent Auth?

Agent Auth simplifies third-party authentication by providing:

- **Multi-provider OAuth**: Support for OAuth 2.0 flows across all major providers
- **Unified authentication API**: Single interface for managing connections to any provider
- **Automatic token management**: Token refresh, storage, and lifecycle handling
- **Flexible authentication modes**: Use Scalekit-managed OAuth or bring your own credentials
- **Secure token handling**: Encrypted token storage and transmission

## Key concepts

### Providers

Providers are third-party applications that your users can authenticate with. Agent Auth supports OAuth 2.0 flows for popular platforms including Gmail, Slack, GitHub, Jira, and many more.

### Connections

Connections define the authentication configuration for a specific provider. Each connection contains:

- **Authentication credentials** (OAuth client ID/secret, API keys)
- **OAuth configuration** (authorization URLs, token endpoints, scopes)
- **Provider-specific settings** (rate limits, API versions)

### Connected accounts

Connected accounts represent the authenticated link between a user in your application and their account on a third-party provider. Each connected account maintains:

- **Authentication state** (active, expired, revoked)
- **Access tokens** and refresh tokens with automatic refresh handling
- **Granted OAuth scopes** and permissions
- **Token expiration** tracking and lifecycle management

## Architecture overview

```d2
direction: down

A: "Your Application"
C: "Connected Account"

AgentAuth: {
  label: "Agent Auth"
  B: "Agent Auth API"
  E: "OAuth Flow Handler"
  G: "Token Management"
  H: "Token Refresh"
  B -> E
  B -> G
  B -> H
}

Providers: {
  label: "OAuth Providers"
  D: "Provider OAuth"
  I: "Gmail"
  J: "Slack"
  K: "Jira"
  L: "GitHub"
  D -> I
  D -> J
  D -> K
  D -> L
}

A -> AgentAuth.B: "Initiate OAuth"
AgentAuth.B -> C: "Manage tokens"
C -> Providers.D: "Authenticate"
```

## How authentication works

### 1. Configure provider connections

Set up OAuth credentials for each provider you want to support:

```javascript
// Create a connection for Gmail with OAuth 2.0
const gmailConnection = await agentConnect.connections.create({
  provider: 'gmail',
  auth_type: 'oauth2',
  credentials: {
    client_id: 'your-gmail-client-id',
    client_secret: 'your-gmail-client-secret'
  },
  scopes: ['https://www.googleapis.com/auth/gmail.send']
});
```

### 2. Initiate OAuth flow for users

When users want to connect their accounts, create a connected account and redirect them to complete OAuth:

```javascript
// Create a connected account for a user
const connectedAccount = await agentConnect.accounts.create({
  connection_id: gmailConnection.id,
  identifier: 'user_123',
  identifier_type: 'user_id'
});

// Generate OAuth authorization URL
const authUrl = await agentConnect.accounts.getAuthUrl(connectedAccount.id);
// Redirect user to authUrl to authenticate with the provider
```

### 3. Handle OAuth callback

After the user authorizes your application, the provider redirects back with an authorization code. Agent Auth automatically exchanges this code for access and refresh tokens:

```javascript
// Agent Auth handles the OAuth callback and token exchange
// Tokens are securely stored and automatically refreshed when needed
const account = await agentConnect.accounts.get(connectedAccount.id);
// account.status will be 'active' once authentication is complete
```

## Supported providers

Agent Auth supports OAuth authentication for a wide range of popular business applications:
**Communication**
- Gmail (Google Workspace)
    - Outlook (Microsoft 365)
    - Slack
    - Microsoft Teams
    - Discord

**Productivity**
- Google Calendar
    - Microsoft Calendar
    - Google Drive
    - OneDrive
    - Notion

**Project Management**
- Jira
    - Asana
    - Trello
    - Monday.com
    - Linear

**Development**
- GitHub
    - GitLab
    - Bitbucket
    - Figma
    - Vercel

## Common authentication scenarios

### Multi-provider authentication

Enable users to connect multiple third-party accounts in your application:

```javascript
// Allow users to authenticate with both Gmail and Slack
const gmailAccount = await agentConnect.accounts.create({
  connection_id: gmailConnection.id,
  identifier: 'user_123',
  identifier_type: 'user_id'
});

const slackAccount = await agentConnect.accounts.create({
  connection_id: slackConnection.id,
  identifier: 'user_123',
  identifier_type: 'user_id'
});

// Generate OAuth URLs for each provider
const gmailAuthUrl = await agentConnect.accounts.getAuthUrl(gmailAccount.id);
const slackAuthUrl = await agentConnect.accounts.getAuthUrl(slackAccount.id);
```

### Organization-level connections

Authenticate once for an entire organization:

```javascript
// Create organization-level connection for shared access
const orgConnection = await agentConnect.accounts.create({
  connection_id: jiraConnection.id,
  identifier: 'org_456',
  identifier_type: 'org_id'
});

// All users in the organization can access this connection
const authUrl = await agentConnect.accounts.getAuthUrl(orgConnection.id);
```

### Token lifecycle management

Agent Auth automatically handles token refresh and expiration:

```javascript
// Retrieve connected account - tokens are automatically refreshed if expired
const account = await agentConnect.accounts.get(connectedAccount.id);

// Check authentication status
if (account.status === 'active') {
  // User is authenticated and tokens are valid
} else if (account.status === 'expired') {
  // Re-authentication required
  const reAuthUrl = await agentConnect.accounts.getAuthUrl(account.id);
}
```

## Key benefits

### Developer experience

- **Unified authentication API**: Single interface for OAuth across all providers
- **Automatic token refresh**: No manual token lifecycle management required
- **Pre-built OAuth flows**: Skip complex OAuth implementation for each provider
- **Multi-language SDKs**: Support for popular programming languages
- **Standardized error handling**: Consistent error responses across providers

### Security and compliance

- **OAuth 2.0 standard**: Industry-standard authentication protocol
- **Encrypted token storage**: Secure storage and transmission of access tokens
- **Automatic token rotation**: Refresh tokens automatically to minimize exposure
- **Audit logging**: Complete audit trail of authentication events
- **SOC 2 certified**: Enterprise-grade security standards

## Authentication options

Agent Auth supports multiple authentication approaches:

### Scalekit-managed OAuth

Use Scalekit's shared OAuth applications for quick setup:

- **Fast setup**: Get started in minutes without registering OAuth apps
- **Shared credentials**: Pre-configured OAuth credentials for all providers
- **Zero configuration**: No need to manage client IDs or secrets
- **Perfect for**: Development, testing, proof of concepts

### Bring Your Own OAuth (BYOO)

Use your own OAuth applications for complete control:

- **Custom branding**: Users see your application name and logo during OAuth
- **Higher rate limits**: Dedicated quotas for your OAuth application
- **Direct relationships**: Establish direct OAuth connections with providers
- **Enhanced control**: Full control over OAuth scopes and permissions
- **Perfect for**: Production applications, enterprise customers

## Getting started

Ready to start using Agent Auth? Here's what you need to do:

<LinkCard title="Quickstart Guide" href="/agent-auth/quickstart">
    Get up and running with Agent Auth in minutes
  </LinkCard>
  <LinkCard title="Authentication Flows" href="/agent-auth/authentication/auth-flows-comparison">
    Compare different authentication flow patterns
  </LinkCard>
  <LinkCard title="Providers" href="/agent-auth/providers">
    View supported OAuth providers and their requirements
  </LinkCard>
## Support and resources

### Documentation

- **Authentication guides**: Step-by-step OAuth integration guides
- **API reference**: Complete authentication API documentation
- **SDK documentation**: Language-specific authentication examples
- **Best practices**: Security and token management guidelines

### Community and support

- **Developer community**: Join other developers using Agent Auth
- **Support portal**: Get help with authentication issues
- **Professional services**: Expert assistance for complex OAuth integrations
**Note:** **Ready to get started?** Check out our [Quickstart Guide](/agent-auth/quickstart) to implement your first OAuth integration with Agent Auth in minutes.

Agent Auth simplifies third-party authentication so you can focus on building features instead of managing OAuth flows. Start building today and provide seamless authentication experiences for your users.