Authentication

This section covers Blocks for user identity and session management, from simple username/password to federated OIDC providers.

Choosing an authentication Block

AuthBasic

Username/password authentication with JWT sessions. Handles user signup, signin, signout, password hashing (bcrypt), HTTP-only cookie sessions, and optional email-confirmed signup. Provides a createApi() method that generates the auth API endpoints needed by the Authenticator UI component.

Locally, AuthBasic stores user records in memory. On AWS, it provisions a DynamoDB table for user records and issues JWTs for session management. Best for prototypes, internal tools, and MVPs where you need simple credential-based auth.

For more information, see bb-auth-basic on GitHub.

AuthOIDC

OIDC sign-in with Google, GitHub, Okta, Auth0, Microsoft Entra, or any OIDC-compliant provider. Configure one or more providers with their client credentials and AuthOIDC handles the OAuth redirect flow, token exchange, and session management automatically.

Locally, AuthOIDC simulates the OAuth flow for development. On AWS, it runs a real OAuth redirect flow with session cookies. Best for applications that need social login or enterprise SSO without the complexity of Cognito.

For more information, see bb-auth-oidc on GitHub.

AuthCognito

Production-grade authentication powered by Amazon Cognito. Supports social sign-in, MFA (SMS, TOTP, email OTP), user pool groups, SAML federation, passkeys, and account recovery. Same auth interface as AuthBasic (requireAuth, getCurrentUser, createApi) so you can swap providers without changing application code.

Locally, AuthCognito simulates auth flows. On AWS, it provisions a Cognito User Pool with your configured options. Best for production applications that need enterprise-grade auth features.

For more information, see bb-auth-cognito on GitHub.