Overview of authentication options
Fern offers four ways to authenticate users on your documentation site.
A shared password for the entire site or multiple passwords mapped to roles
Corporate credentials for internal docs
Self-managed auth integrated with your login system
Fern-managed auth via your OAuth provider
Which option should I use?
- Password protection — You need quick gating with a shared password (no per-user accounts). Supports multiple passwords mapped to roles for role-based access control.
- SSO — Your team should log in with corporate credentials (Okta, Google Workspace, etc.) for internal docs or wikis.
- JWT — You want to integrate with your existing login system and control the entire auth flow yourself. Supports role-based access control and API key injection.
- OAuth — You want to integrate with your existing login system but have Fern manage the auth flow via your OAuth provider. Supports role-based access control and API key injection.
JWT and OAuth share the same capabilities — the difference is who manages the auth flow. Both can be used for login-only gating, or combined with RBAC and API key injection for granular access control and pre-filled API keys.
How authentication works
JWT, OAuth, and SSO are all powered by a browser cookie called fern_token that tells Fern who the user is and what they can access. The token can carry user roles for RBAC, API keys for the API Explorer, or simply verify that a user is logged in.
Password protection works differently — it uses a shared password rather than per-user tokens.
