Authentication
DYPAI includes a complete auth system out of the box. User registration, login, sessions, roles, and JWT β all managed for you.
Choosing your auth pattern
Not sure if you need open signup, invite-only, or OAuth? See Auth Flows.
Auth methods
Email & Password
Standard signup and login with email confirmation and password reset.
OAuth Providers
Google, GitHub, Apple, Discord, and more. One-click social login.
Passwordless (OTP)
Sign in with a code sent via email or SMS. No password needed.
Using auth with the SDK
Auth is built into the SDK β no endpoints needed:
import { createClient } from '@dypai-ai/client-sdk'
const dypai = createClient('https://your-project.dypai.dev')
// Sign up
const { error } = await dypai.auth.signUp({ email, password })
// Sign in
const { error } = await dypai.auth.signInWithPassword({ email, password })
// OAuth
await dypai.auth.signInWithOAuth('google')
// Sign out
await dypai.auth.signOut()
// The SDK auto-attaches JWT to all API calls
const { data } = await dypai.api.get('list_products')
React hooks
import { useAuth } from '@dypai-ai/client-sdk/react'
function LoginPage() {
const { signIn, isLoading, isAuthenticated } = useAuth()
const handleSubmit = async (email, password) => {
const { error } = await signIn(email, password)
if (error) setError(error.message)
}
}
| Parameter | Type | Description |
|---|---|---|
signIn(email, password) | async | Email + password login |
signUp(email, password, data?) | async | Register new user. Returns confirmationRequired if email verification is on |
signOut() | async | Clear session and logout |
resetPassword(email) | async | Send password recovery email |
setPassword(password) | async | Set new password (after recovery/invite link) |
signInWithOAuth(provider) | async | Redirect to OAuth provider (google, github, apple) |
signInWithOtp({ email }) | async | Send magic link or OTP code |
isAuthenticated | boolean | Whether user is logged in |
isLoading | boolean | Auth state still loading |
user | object | null | Current user (id, email, role) |
How it works
- User signs in β auth engine validates credentials β returns JWT + refresh token
- SDK stores tokens and attaches JWT to every API request automatically
- When JWT expires, SDK refreshes in the background β no user interruption
- Endpoints check the JWT role against their allowed_roles list
Roles & access control
Roles are custom strings you define (e.g., admin, editor, viewer). Each endpoint has an allowed_roles list.
| Parameter | Type | Description |
|---|---|---|
jwt mode | Endpoint | User must be signed in + their role must be in allowed_roles |
api_key mode | Endpoint | Requires X-API-KEY header. For server-to-server, not browser |
public mode | Endpoint | No auth required. Only for read-only public data |
Creating roles
Create roles from the dashboard (Auth β Roles) or via MCP:
"Create an admin role with manage_users permission"
Assigning roles to users
Assign from the dashboard (Auth β Users) or via MCP:
"Assign the editor role to user@example.com"
OAuth setup
Each OAuth provider needs Client ID + Secret configured in your project settings:
| Provider | How to set up |
|---|---|
| Create OAuth credentials in Google Cloud Console | |
| GitHub | Create an OAuth App in GitHub Settings |
| Apple | Requires Apple Developer Program membership |
Enable providers from the dashboard (Auth β Settings) or via MCP with app_settings.