Overview of authentication options
Fern offers four ways to authenticate users on your documentation site.
A single shared password for the entire site
Corporate credentials for internal docs
Self-managed auth integrated with your login system
Fern-managed auth via your OAuth provider
Which option should I use?
- Password protection — You need quick gating with a single shared password. No per-user accounts, no setup beyond
docs.yml. - SSO — Your team should log in with corporate credentials (Okta, Google Workspace, etc.) for internal docs or wikis.
- JWT — You want to integrate with your existing login system and control the entire auth flow yourself. Enables role-based access control and API key injection.
- OAuth — You want to integrate with your existing login system but have Fern manage the auth flow via your OAuth provider. Enables role-based access control and API key injection.
JWT and OAuth share the same capabilities — the difference is who manages the auth flow. Both can be used for login-only gating, or combined with RBAC and API key injection for granular access control and pre-filled API keys.
How authentication works
JWT, OAuth, and SSO are all powered by a browser cookie called fern_token that tells Fern who the user is and what they can access. The token can carry user roles for RBAC, API keys for the API Explorer, or simply verify that a user is logged in.
Password protection works differently — it uses a shared password rather than per-user tokens.
