Skip to main content

What is authentication & authorization

Authentication is the process of verifying a user’s (or server’s) identity — confirming they are who they claim to be. With Dynamic, this happens when a user proves ownership of a credential (e.g. signing a message with a wallet, entering an email OTP, or completing a social login) or by validating an issued API key. Authorization is what happens after authentication: determining what the authenticated user is allowed to do. Dynamic supports authorization through access control (access lists and gates), JWT scopes, and server-side verification of the Dynamic-issued token.

Authentication providers

Dynamic supports two approaches to authentication. You can use them independently or combine them depending on your needs.

Dynamic as the auth provider

Dynamic provides built-in authentication methods that handle the full flow — from user-facing UI to session creation to wallet interaction; allowing for a single provider to handle authentication for users and embedded wallets. Dynamic supports the following methods for authentication:
  • Email — Via a One-time passcode (OTP) sent to the user’s email
  • SMS — Via a One-time passcode (OTP) sent to the user’s phone number
  • Web3 wallets — User connects an external wallet (MetaMask, Phantom, etc.) and signs a message to prove ownership
  • Social login — OAuth with providers like Google, Discord, Apple, GitHub, and more
  • Passkey — WebAuthn-based sign-in (sign-in only; registration is supported as an MFA method)
With Dynamic Auth, the SDK handles the user-facing authentication UI, communicates with Dynamic’s backend, and issues a JWT upon successful authentication. No additional auth infrastructure is required on your side. Additionally, Dynamic supports Multi-Factor Authentication (MFA) for further enhancing user security. For details on each method, architecture, and SDK-specific implementation guides, see Dynamic Auth.

Bring your own auth provider

If you already have your own authentication system (or use another auth provider like Auth0, Firebase Auth, Supabase Auth, etc.), you can integrate it with Dynamic. Dynamic integrates with your existing authentiation system to verify an issued token and create a Dynamic session; giving you access to Dynamic’s wallet infrastructure, user management, and SDK features without changing your existing auth flow. For architecture, configuration, and setup, see Bring Your Own Auth.

Next steps

  • Concepts — Understand Users, Sessions, Wallets, and Visitors
  • Dynamic Auth — Auth methods (email, wallet, social, passkey, cookie-based auth), architecture, and protecting your servers with the JWT
  • Bring Your Own Auth — Use your own JWT issuer with Dynamic
  • Tokens — JWT structure, claims, verification, and storage
  • Revoking Sessions — End sessions client-side or server-side
  • MFA — Multi-factor authentication with TOTP and Passkey
  • Best Practices — Security and auth recommendations