Payload Market

Authentication plugins for Payload CMS

Authentication plugins for Payload CMS: OAuth, SSO, MFA, RBAC, passkeys and better-auth integrations. Compare and install community solutions.

Authentication plugins add user identity to Payload CMS — from OAuth and SSO sign-in to multi-factor auth, passkeys and fine-grained RBAC/ABAC access control. They extend Payload's built-in auth rather than replacing it, so you keep the admin login while adding providers and policies.

What these plugins cover

  • OAuth / SSO providers and social login
  • MFA, TOTP and passkeys (WebAuthn)
  • Passwordless and magic-link sign-in
  • Role- and attribute-based access (RBAC/ABAC)
  • Session, JWT and API-key management
  • better-auth and Auth.js integrations

Choosing an auth approach

For a public app, start with social OAuth plus optional MFA; for internal tools, layer RBAC/ABAC on top of SSO. Pair access rules with admin tooling for audit logs.

See also admin tooling, custom fields and third-party integrations.

ISR revalidation

Integrates ISR-style cache revalidation into Payload CMS for Next.js.

2 56/wk v3 Storage

Frequently asked questions

Which auth methods do Payload plugins support?

Community plugins cover OAuth and SSO providers, multi-factor auth (TOTP, passkeys) and role- or attribute-based access control, plus better-auth and Auth.js adapters.

How do these integrate with Payload's built-in auth?

Most plugins extend the existing auth collection and access-control hooks — you keep Payload's admin login and add providers, strategies or policies on top, rather than replacing the auth system.

Are these authentication plugins free?

Every plugin listed on Payload Market is open-source and free to install; pricing only applies to optional hosted services some authors offer.